The SFTPPlus 3.33.0 release is a major security update for the HTTP/HTTPS file transfer service and the SFTPPlus Local Manager service.
This update addresses the vulnerabilities concerning Cross-Site Request Forgery Attacks and Cross-Site Scripting Attacks on the aforementioned services.
Customers that are not accessing SFTPPlus services from a web browser are not exposed to these vulnerabilities. In addition, customers utilizing FTP, FTPS, SFTP, and SCP protocols are not affected.
We recommend that all affected customers should upgrade to the SFTPPlus 3.33.0 release, since it includes fixes for Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities.
To mitigate the risk in older SFTPPlus versions, we recommend the following actions:
- Do not have other tabs or windows open in the same browser while being authenticated to a SFTPPlus service, or
- Use a private window or a separate profile / container.
- Log out from the SFTPPlus service as soon as your have completed your tasks.
The aforementioned security issues were due to ProAtria not performing a security audit of SFTPPlus, when used from an interactive browser.
Taking into consideration the current challenges of HTTP security, we have now updated our security practices and implemented automated tests. These tests will cover the HTTP-specific attacks against SFTPPlus when accessed from a web browser.
SFTPPlus continues to be focused on automated, non-interactive file transfers in a secure fashion. Our security practices have been designed to make this a reality for our clients.
For assistance in upgrading your installation or for further questions, please do not hesitate to contact the Support team by replying to this email.
You can check the full release notes here.