[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open-Xchange Security Advisory 2013-08-16

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Open-Xchange Security Advisory 2013-08-16
From: Martin Braun <martin.braun@xxxxxxxxxxxxxxxx>
Date: Fri, 16 Aug 2013 07:37:23 +0200 (CEST)

Product: Open-Xchange AppSuite / HTMLCleaner
Vendor: Open-Xchange GmbH / HTMLCleaner team

Internal reference: 27708 (Open-Xchange Bug ID), 86 (HTMLcleaner ticket)
Vulnerability type: Race condition within a thread (CWE-366)
Vulnerable version: 7.2.2
Vulnerable component: backend
Fixed version: 7.2.2-rev13
Solution status: Fixed by Vendor (Open-Xchange), Fixed by third party 
(HTMLCleaner)
Vendor notification: 2013-07-22
Solution date: 2013-08-06
Public disclosure: 2013-08-16
CVE reference: CVE-2013-5035
CVSSv2: 7.6 
(AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:U/RC:C/CDP:H/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
If multiple requests to save E-Mail as “draft”, or send E-Mail, occur within a 
very narrow window of time, it is possible that E-Mail content get swapped 
between requests. The root cause for this is a HTML sanitising library that 
turned out not to be thread-safe despite it claims to be. Further research 
showed, that the issue has been introduced with OX 7.2.2 by updating to the 
latest version of this library (2.2 to 2.5). OX Versions 7.2.1 and earlier are 
not vulnerable.

Risk:
Not properly handling concurrent access within the sanitising library leads to 
a potential privacy issue. Content can become modified unintentionally or 
available to unprivileged users and recipients, when mixing with other users 
content while processing mail. An attacker could potentially trigger a lot of 
these requests to provoke content switches in order to randomly access mail 
content and personal data. Apart from using the library for this specific 
use-case, results for general HTML sanitising under high load may not be 
accurate and could contain corrupted content.

Steps to reproduce:
1. Have a multiple clients constantly saving draft mail or sending mail 
(quicker than 100ms per mail)

Proof of concept:
The issue has been reproduced using Unit tests, load tests and has been 
confirmed by the HTMLcleaner development team. At typical load, we experienced 
a probability of less than 0.5% that mail content of the same client either 
gets duplicated or mixed with mail content of another client. Higher system 
load and concurrent usage (per OX node) leads to a higher probability that this 
issue can arise.
We have reported this issue back to the maintainers of the library, adding a 
test case and proof-of-concept code. The issue has been fixed with HTMLCleaner 
2.6, see http://sourceforge.net/p/htmlcleaner/bugs/86/ for more details.

Solution:
The solution is to create one instance of the sanitizer per request rather than 
passing multiple requests to the same instance. This avoids potential 
multithreading issues using this library, however it does not solve the root 
cause and other consumers of this library should either downgrade, upgrade or 
implement a similar workaround.
Users should update to the latest available patch releases 7.2.2-rev13

Martin Braun
Open-Xchange GmbH

Prev by Date: Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities
Next by Date: MS Excel 2002/2003 CRN record 0day PoC
Previous by thread: Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities
Next by thread: MS Excel 2002/2003 CRN record 0day PoC
Index(es):
- Date
- Thread