[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open-Xchange Security Advisory 2013-06-03
- To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Open-Xchange Security Advisory 2013-06-03
- From: Martin Braun <martin.braun@xxxxxxxxxxxxxxxx>
- Date: Mon, 3 Jun 2013 08:57:00 +0200 (CEST)
Open-Xchange Security Advisory (multiple vulnerabilities)
Multiple security issues for Open-Xchange Server 6 and OX AppSuite have been
discovered and fixed. The vendor has chosen a responsible full disclosure
method to publish security issue details. Users of the software have already
been provided with patched versions. German law prohibits to provide code that
may be used by attackers, therefor no PoC or working code is available within
this advisory.
Proof regarding the authenticity of these issues can be obtained from the
published release notes:
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1419_6.20.7-rev18_2013-05-09.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1420_6.22.0-rev16_2013-05-09.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1421_6.22.1-rev19_2013-05-09.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1422_7.0.1-rev7_2013-05-09.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1423_7.0.2-rev11_2013-05-09.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1424_7.2.0-rev8_2013-05-09.pdf
Product: Open-Xchange Server 6, OX AppSuite
Vendor: Open-Xchange GmbH
***********************
Internal reference: 25957
Vulnerability type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7,
7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-17
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 4.8
(AV:N/AC:L/AU:N/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Embedded VBS (Visual Basic Script) code at HTML content does not get sanitized
and may be executed at the users client.
Risk:
Embedded VBS code can be executed in the context of a user of the OX6 or
AppSuite web interface. This affects Internet Explorer users with default
browser security settings. Other browsers may be affected too, if VBS plugins
are installed.
Solution:
Switch to a non-VBS compatible browser like Chrome, Firefox, Safari
Use spam filtering mechanisms that block or filter VBS content
Note: Disabling VBS execution at a browser level of Internet Explorer will also
disable JavaScript execution which is mandatory to use OX web interfaces.
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16,
6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.
***********************
Internal reference: 26237
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7,
7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-27
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7
(AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Cross site scripting can be performed when using forged "object/data" entities
within HTML code. This object/data may contain harmful base64 encoded content
that gets executed by certain browsers.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.)
Solution:
Avoid opening hyperlinks from untrusted source
Avoid using content that may contain script code (e.g. HTML attachments)
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16,
6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.
***********************
Internal reference: 26243
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7,
7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-29
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7
(AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Cross site scripting can be performed when using forged content-type header
parameters within a URL call.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.)
Solution:
Avoid opening hyperlinks from untrusted sources
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16,
6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.
***********************
Internal reference: 26244
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7,
7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-29
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7
(AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Cross site scripting can be performed when using forged URL calls forcing the
UTF-16 charset. Existing checks fail since the content does not match the usual
UTF-8 pattern.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.)
Solution:
Avoid opening hyperlinks from untrusted sources
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16,
6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.
***********************
Internal reference: 26373
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 6.22.0 to 7.2.0-rev7
Vulnerable component: backend
Fixed version: 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-05-03
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7
(AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details:
Embedded script code at HTML content does not get sanitized and executed at the
users client when using the "delivery=view" call. While this call is actively
used by OX AppSuite but not OX6 UI, the backend offers this call since 6.22.0.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.)
Solution:
Avoid opening hyperlinks from untrusted sources
Users should update to the latest patch releases 6.22.0-rev16, 6.22.1-rev19,
7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.