[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] OpenXchange | Information Disclosure

To: fulldisclosure@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [FD] OpenXchange | Information Disclosure
From: t.schughart@xxxxxxxxxxxxxxxxxxx
Date: Sat, 30 Jan 2016 12:19:04 +0100

Hi@all,

there is an information disclosure in OpenXchange (prior 7.8).

An authenticated user can enumerate all imap user folders. If you browsethe PoC you get an permission denied error, but the folder’s name isreflected into the page in json format.


About Open Xchange:

Open-Xchange[2] develops, markets and sells web-based communication,collaboration and office productivity software, which enables fullintegration of email, documents, scheduling and social media


Risk-Rating: Very low

PoC:
https://ox.com/appsuite/api/tasks?action=all&folder=10>&columns=6%2C20%2C200%2C202%2C203%2C221%2C300%2C309&sort=202&order=asc&timezone=UTC&session=<YOUR_SESSION>

You have to paste your valid session. The Vulnerable parameter isfolder. It requires an integer.


The vendor has been informed and fixed the Bug in newest Version.

Best regards

Tim Schughart
IT Security engineer

ProSec Networks
Website: https://www.prosec-networks.com
E-Mail: info@xxxxxxxxxxxxxxxxxxx
Phone: +49(0) 2621 9469 252

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] VMWare Zimbra Mailer | DKIM longterm Mail Replay vulnerability
Next by Date: [FD] Equibase.com HTML Injection/Possible Reflected XSS
Previous by thread: [FD] VMWare Zimbra Mailer | DKIM longterm Mail Replay vulnerability
Next by thread: [FD] Equibase.com HTML Injection/Possible Reflected XSS
Index(es):
- Date
- Thread