The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (Managed File Transfer) allows a remote unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.
Vendor has acknowledged the vulnerability and promptly notified all impacted customers and provided a patch.
Primeur Spazio - 2.5.1.954.
Other versions may also be affected.
In order to exploit the vulnerability, an unauthenticated attacker should send crafted HTTP Request
Andrea Mattiazzo, Alessandro Cudini, Antonio Montesano, Emanuele Chiossi, Giovanni Battista Colonna
https://www.primeur.com/managed-file-transfer
Navigating the website without any kind of credentials and executing fuzzing on the root directory, it has been observed that some web resources were built at real-time.
After an in-depth analysis it was observed those resources (i.e. folders) are strictly related to already existent data directories (i.e. subfolders of root web folder) on the web server.
Creating a crafted HTTP request pointing to these data directories cutting the trailing "/" character, the web server answers with an unmanaged memory leak in HTTP response. As an example we created two folders on the webserver called "assets" and "pippo" in order to reproduce the unsecure behaviour obtaining the memory leak.
By downloading or navigating the resource containing the memory leak, it has been possible to gain access to the exfiltrated buffer of memory which contained the content of files exchanged by authorized users who are using the File Transfer solution, hence leading to an information disclosure.
Since folders name is usually easy-enumerable by any fuzzer, and some folders have standard naming (errors, templates, images), the bug can be easily exploited.