Popular enterprise file management and collaborative file sharing solution Micro Focus Filr sports half a dozen security flaws, most of which can be exploited – either by themselves or concatenated – to take over control of the (virtual) appliance.
There’s a Cross Site Request Forgery and an OS Command Injection flaw, a Persistent Cross-Site Scripting and an Authentication Bypass vulnerability, a Path Traversal and a Local Privilege Escalation (via Insecure File Permissions) hole.
All except the last one, which was fixed in June, have been now plugged.
The flaws were discovered by SEC Consult researcher Wolfgang Ettlinger. He also pointed out to the development team some problematic design choices, and the lack of certain cookie flags. Some of these problems have been fixed, and others will be in future releases, as more complex work is needed.
More details about the vulnerabilities, as well as PoC exploit code for each of them, can be found here.
SEC Consult has coordinated the release of the vulnerabilities’ details with Micro Focus, which released patches for these flaws and a couple of others on Friday.
The flaws were found during “a very quick security check.” The company made sure to note that since they did not conduct a thorough technical security check, they “cannot make a statement regarding the overall security of the Micro Focus Filr appliance.”