For example, the server returns different error messages depending on the username’s registration status:
- Registered Username:
- Unregistered Username:
Request RAW:
POST /oauth/oauthapi.aspx HTTP/1.1
Host: xxx.sharefile.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.sharefile.eu/Authentication/Login
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 293
Connection: close
tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123
This lack of uniformity creates an information disclosure vulnerability that violates secure authentication practices and enables silent reconnaissance.
Exploitation Steps
The enumeration process is straightforward and does not require credentials:
Prepare an OTP verification request, substituting in a username or email address from a target list.
Send the request to the ShareFile server.
Observe the response:
The server responds differently based on whether the specified username exists or not.
Repeat the process with a list of possible usernames to compile a set of valid accounts.
This technique can be automated to quickly identify active accounts in the environment, setting the stage for follow-up attacks like password spraying or phishing.
Recommended Mitigations:
Standardize OTP verification responses for both valid and invalid usernames.
Implement rate limiting and alerting for failed OTP validation attempts.
Restrict unauthenticated access to OTP-related endpoints when possible.
Monitor logs for suspicious patterns of OTP submissions from untrusted sources.
Educate users about phishing risks and enforce multi-factor authentication (MFA).
Conclusion:
This vulnerability in Citrix ShareFile (≤ 19.1) underscores the importance of consistent server-side handling of authentication-related operations. The ability to enumerate valid usernames without authentication creates unnecessary exposure and elevates the risk of follow-on attacks.
Reporting Information:
Affected Versions: Citrix ShareFile through 19.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-7217