Headline

CVE-2022-22828: Version History for SynaMan

An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.

2 years ago

CVE

Open in Source

#xss #csrf #vulnerability #web #ios #android #mac #windows #apple #google #microsoft #linux #apache #js #java

This page lists all public releases of SynaMan. It does not list every nightly build and therefore, you will see gaps in the build numbers.

Version 5.0****Build 1589 - January 03, 2022

Ability to enable ciphers recommended by FIPS 140-2 guidelines. Details…
Ability to block user id besides IP address when incorrect passwords are specified.
X-Forwarded-For header is honored when SynaMan runs behind a reverse proxy server
Security Fix - Files affecting CVE-2019-17571 and CVE-2021-4104 are removed from SynaMan. Although these files were present in the older builds, they were not used. Out of an abundance of caution, this build completely removes them.
Security Fix - URLs for public link downloads can be modified with guessed files names to download unauthorized files.
Security Fix - A user can potentially create a public link with Javascripts in comments field, which could launch XSS attack in recipient’s email client.

Version 4.9****Build 1580 - September 23, 2021

Bug Fix: Files in the recycling bin are saved even when disabled.

Build 1579 - September 07, 2021

Recycle Bin has been added. Details…
Ability to download uploaded files through the notification email message.
Ability to upload multiple files from mobile devices, such as iPhone/Android.
File Explorer’s height gets adjusted on large screen.
Enhanced restarting.
Ability to modify existing folders, rather than creating new folders
Ability to patch a custom version using the web interface.
Security Update: JQuery version has been updated to mitigate risks mentioned on CVE-2015-9251, CVE-2015-11358, CVE-2020-11022, CVE-2020-11023
Security Update: Ability to force TLS 1.2
Security Update: Restore password URL uses AES encryption for authentication token for enhanced entropy.
New icons have been added to Manager User and Folder screen to indicate encryption and recycle bin.
Bug Fix: Mobile interface ignores delete and zip/unzip permissions
Bug Fix: Audit and Access logs are not created when connecting from mobile devices
Bug Fix: Current activity is not updated when using Login URL from a mobile device

Version 4.8****Build 1567 - April 19, 2021

At-rest encryption has been added. Details…
Ability to force new users to change their password upon first login
Ability to automatically connect to broken mounted drives.
Ability to contact support from the web interface
Bug Fix: Unable to download folders containing % sign.
Bug Fix: Default quota is not set when creating users from LDAP or invitation.

Version 4.7****Build 1557 - August 24, 2020

Access Logs. Details…
Mapped Drives across the Internet from any desktop machine. Details…
Ability to view and remove blacklisted IP address from Configuration/Security screen.
Bug Fix: Certain special characters were not allowed in password.

Version 4.6****Build 1548 - June 23, 2020

Granular permissions. Details…
Ability to upload multiple files when CSRF is enabled
User Management screen has been enhanced to accomodate for additional security permissions

Version 4.5****Build 1544 - April 14, 2020

Ability to Search Files. Details…
Ability to reset forgot passwords, rather than sending the password via email, which was not secure.
Security Fix: A vulnerability (CVE-2019-8331) was fixed.

Version 4.4****Build 1533 - February 11, 2020

Bug Fix: Uploads fail unless you explicity select an action for Harmful Extensions
Bug Fix: User validation from Active Directory fails occasionally.
Bug Fix: The Auto Update configuration toggles itself when the page is saved.

Build 1532 - February 10, 2020

Ability to prevent/rename potentially malicious files. Details…
Ability to use LDAP servers other than MS Exchange
Security Fix: HTTP redirection is forced after adding a new user, prevent someone from hitting the back button to reveal passwords.
Security Fix: Password policy rules are enforce even when administrators create new account

Version 4.3****Build 1525 - August 28, 2019

Ability to deny connections from Tor Nodes. Details…
Email notifications for public links are now in HTML
Confirmation dialog after creating a public link has been enhanced
Ability to prompt for end-user information before they upload/download files using public links. Details…
Ability to automatically block IP addresses that appear to send malicious requests
Security Fix: CSRF attacks were possible when uploading files.
Bug Fix: A 404 error is generated when using a DNS server for Let’s Encrypt challenge
Bug Fix: Let’s Encrypt certificate cannot be renewed automatically if using a different HTTP server for challenge

Version 4.2****Build 1517 - April 29, 2019

Ability to integrate with Let’s Encrypt to create FREE SSL certificate. Details…
Ability to check-in/out files (Enterprise Edition) Details…
Web server has been updated
Ability to make passwords mandatory for public links.
Security Fix: XSS attack against SynaMan is possible through user’s invitation screen.

Version 4.1****Build 1506 - Feb 18, 2019

Security Fix: Ability to call JSP files directly is disabled
Bug Fix: Emails are sent out using the admin account when public links are created.
Bug Fix: File names containing non-English characters are occasionally corrupted when using MS Edge.
Bug Fix: Total branding adds a question mark in the begining of the page

Build 1500 - Sept 26, 2018

Ability to route emails via Synametrics WebSMTP service if communication to your SMTP server fails. Details …

Build 1498 - August 15, 2018

Bug Fix: Files larger than 2.1GB occasionally gets truncated when using the AJAX browser

Build 1496 - July 26, 2018

Bug Fix: Enhanced Browser gets stuck while fetching directory contents

Build 1495 - July 25, 2018

Ability to mount SMB shares (remote drives on Windows). Click here for details.
Bug Fix: Quote screen cannot be saved when CSRF is enabled
Bug Fix: Smtp password is stored in clear in AppConfig.xml

Version 4.0****Build 1488 - December 06, 2017

Completely redesigned user interface
Two-Factor Authentication (Enterprise Edition)
Quota for home folder (Enterprise Edition)

Version 3.9****Build 1474 - November 21, 2016* Bug Fix: Filenames containing foreign characters get corrupted when uploading using AJAX Browser

Enhancement: Two new fields are added in email notifications for public links. These fields includes the recipients name and email. Build 1472 - October 28, 2016
Bug Fix: Empty folders are not uploaded when using Enhanced Browser
Enhancement: The downloaded JNLP file for Enhanced Browser can now optionally remember user credentials.

Build 1469 - September 15, 2016

Bug Fix: The upload button is not visible when trying to upload files using a Public Link and browser is IE

Build 1468 - September 06, 2016

Ability to upload files larger than 2.1 GB using the Ajax Browser
Integration with Xeams. Click here for details.

Version 3.8****Build 1466 - August 01, 2016

Significant changes have been made in Embedded SMTP Server.
- Ability to listen on two other ports besides primary. For example, you can make the embedded SMTP server listen on port 25, 587 as well as 465 (SSL)
- Ability disallow SMTP Authentication on port SMTP but not secondary
Ability to delegate SMTP authentication for embedded SMTP server. Click here for more information.

Version 3.7****Build 1463 - May 20, 2016

Public links can be created without specifying an email. In such cases, the link will be displayed on the following message without generating any email.
Bug Fix: The File Preview feature does not work when there is a space in the file name

Build 1461 - March 07, 2016

Enhancement: Automatically create new users by sending email invitations. More info…
Enhancement: The Enhanced Browser is no longer a Java Applet. More info…

Version 3.6****Build 1456 - October 02, 2015

Bug Fix: Fixes a bug related to SSL certificate in Enhanced Browser
Enhancement: The location of tmpZipDir can now be changed through server.properties file. This location is used by SynaMan to create a zipped file when multiple files or folders are downloaded by the user.
Bug Fix: A trailing space in user’s email or shared folder name results in an error.
Bug Fix: An & sign in shared folder name creates problem in Enhanced Browser

Build 1452 - June 29, 2015

New Feature: Template user - new users will inherit shared folder from this user.
Bug Fix: A trailing space in either user name or shared folder name can result in errors.

Version 3.5****Build 1451 - April 16, 2015

New Feature: Ability to upload files using drag-n-drop when using Ajax Browser or public link. Supported browsers for this feature are Firefox, Google Chrome and Apple Safari. Click here for details.
New Feature: Ability to upload more than one file at a time.
New Feature: Ability to add a comment when uploading files using public link. Click here
Security Fix: CSRF attacks are detected and prevented. Click here for details.

Version 3.4****Build 1444 - October 27, 2014

Security update: Disables SSLv3, which prevents the newly discovered POODLE attack.

Build 1434 - March 04, 2014

Ability to upload files from a mobile device
UPnP support for easily configuring firewalls.
Troubleshooting wizard to easily identify connection problems.

Version 3.3****Build 1430 - January 16, 2014

Manifest problem fixed with the applet for Enhanced browser
The embedded SMTP server can now handle attachments encoded with printed-quotable.
Ability to rename files when public files are uploaded with same names

Build 1425 - December. 08, 2013

Support for STARTTLS in embedded SMTP
Bug fix: uploading files with unicode characters in their name does not work when using the AJAX browser.
Embedded SMTP can be configured to add the download link either at attachment or part of existing HTML body

Build 1418 - June. 04, 2013

Triggers - ability to launch custom scripts/executables when files are transferred.
CLI - Command line interface allow uploading/downloading files to a machine where SynaMan is running, allowing users to script file transfers.
Global notifications
Enhanced embedded SMTP server
Interface enahancments

Version 3.2****Build 1398 - Nov. 09, 2012

Public links can be protected by a password
Bug fix: Public link notification email does not work when users are authenticated using Active Directory.

Build 1394 - Oct. 22, 2012

Cache problem with iPhone/iPad is fixed. iOS tends to cache pages, causing users to see stale data.

Build 1393 - Oct. 08, 2012

Ability to assign free style note to any file
Ability to notify user when someone downloads/uploads file using public links

Version 3.1****Build 1386 - Aug. 27, 2012

Handing of Tricky path alerts is enhanced.

Build 1384 - July 17, 2012

Bug Fix: The web interface does not save user’s email address under certain conditions.

Build 1382 - June 28, 2012

Bug Fix: Notification emails are not sent for uploads unless downloads notifications are also enabled.

Build 1380 - June 26, 2012

Integration with Microsoft Active Directory
Ability to access SynaMan from iPhone, Android, Windows Phone and other mobile devices
User home folder

Version 3.0****Build 1365 - May 11, 2012

Bug fix: On rare occasions, the Embedded SMTP server does not send emails when multiple recipients are specified

Build 1363 - March. 23, 2012

Ability to download folders via public link

Build 1358 - Feb. 09, 2012

Enhanced browser - allowing users to upload/download multiple files, complete partially transfered files and Quick edit

Version 2.7****Build 1342 - Nov. 09, 2011

Bug fix: Access to public folder is broken.

Build 1341 - Nov. 08, 2011

Ability to display menu without right clicking, useful when connecting to SynaMan interface from Android devices.
Bug fix: Foreign characters are not displayed correctly when download and upload template files are modified.

Build 1337 - May. 31, 2011

Embedded SMTP server.
Total branding
Ability to force HTTPS if available
Branding using the web interface
Ability to use an SSL certificate from IIS server

Version 2.6****Build 1328 - May. 05, 2011

Ability to abort an upload.
File filter in the Explorer window. Users can specify a wild card like *.txt to limit files ending with .txt. Multiple filters can be separated by a | symbol. For example, *.gif|*.jpg

Version 2.5****Build 1325 - Apr. 20, 2011

Weaker SSL ciphers are now disabled by default, forcing clients to use 128 bit encryption…

Build 1324 - Apr. 08, 2011

Remote file explorer is now compatible with IE 9.

Build 1322 - Mar. 08, 2011

Bug Fix: Zipped file cannot be created for multiple downloads if the shared folder does not have write access.

Build 1321 - Sep. 15, 2010

Bug Fix: A security related bug is fixed.

Build 1318 - Sep. 01, 2010

Bug Fix: The HTTP server accepts multiple Content-Length headers in request, which can be misused by a malicious user.

Build 1316 - July 14, 2010

Bug Fix: Ampersands in file names are not handled correctly when files are being downloaded.

Build 1314 - June 17, 2010

Users can change their password through the web interface.
Existing file name is displayed as default when renaming files.

Build 1313 - May 27, 2010

Bug Fix: Public links are not created correctly when using IPv6 and connecting from localhost
Bug Fix: Sometimes users can delete files from a read-only folder

Build 1310 - May 12, 2010

Public links for HTTPS can now be created.
Admin’s home page displays current activity
Admin’s home page displays disk status for the shared folder rather than the installation drive.

Build 1304 - Apr 30, 2010

Bug Fix: More than one public folder were not getting displayed through the explorer interface.

Build 1303 - Apr 14, 2010

TLS and SSL are now supported when sending out-bound emails.

Build 1302 - Apr 01, 2010

Login IDs are now case-insensitive.
Ability to integrate with Apache mod_proxy

Build 1291 - Feb 12, 2010

Ability to specify a character sets for non-English users. Click here for more information

Build 1289 - Feb 03, 2010

Bug fix: When modifying data for existing users, users can mistakenly add one user twice.
Bug fix: Login form now uses HTTP POST rather than GET

Build 1282 - Jan 25, 2010

Download multiple files together
Discovery host is used for public links

Version 2.4****Build 1272 - Jan 09, 2010

Preview - views files on a host machine without downloading them
Manage existing public links
The actual hyper link is displayed on the screen after you create a new public link

Version 2.3****Build 1261 - Dec. 22, 2009

Bug fix - Public link for upload expires prematurely for empty folders.

Build 1259 - Dec. 18, 2009

Public folders - automatically adds folders to every user
Custom branding for your company.
Ability to remove a folder from user’s account. Earlier versions used to mark the folder for no access. Now you can completely remove an unwanted folder.

Version 2.2****Build 1246 - Nov… 20, 2009