Open-Xchange Security Advisory 2014-11-07

[Martin Heiland <martin.heiland@xxxxxxxxxxxxxxxx>]

Product: OX App Suite
Vendor: Open-Xchange GmbH

Internal reference: 34765 (Bug ID)
Vulnerability type: SQL Injection (CWE-89)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Researcher credits: SoftScheck GmbH
Fixed version: 7.4.2-rev36, 7.6.0-rev23
Vendor notification: 2013-10-06
Solution date: 2014-10-08
Public disclosure: 2014-11-07
CVE reference: CVE-2014-7871
CVSSv2: 7.6 
(AV:N/AC:M/Au:S/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
A SQL injection vulnerability has been identified at the "jslob" API call. 
Abusing the MySQL "ExtractValue" function allows execution of arbitrary SQL 
code by passing it through MySQLs XPath interpreter. 30 characters of the 
injected SQL queryies result are returned as an error message by the parser 
when failing to evaluate XPath. This issue affects MySQL 5.1 and later.

Risk:
Confidential data may get exposed to authenticated users (attackers). OX 
AppSuite user passwords are stored hashed and salted either using SHA1 or 
bcrypt, making it hard to gather plain-text passwords. However, other 
information like server configuration data, configuration files and database 
content could be extracted using this vulnerability. Even though the amount of 
returned data is limited to 30 characters for each request, this vulnerability 
can be used to subsequently gather more information by using scripts.

Steps to reproduce:
Forge a PUT request to the jslob api and escape the JSON structure, inject 
invalid XPath syntax and a piggy-back SQL query to the MySQL XPath interpreter. 
Bound to german law, we're not allowed to disclose exploit code that could be 
used to attack in-production systems.

Possible solutions:
Update to the latest available version of OX AppSuite/OX6 backend.
Configure a web application firewall to mitigate such requests.