Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 58880 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49
Vendor notification: 2018-06-05
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Unexpected "type" parameters of the "content" XML tag can be used to bypass our
content sanitizer. In case users added malicious RSS feeds to OX App Suite or a
legit RSS feed got taken over, this can be used to inject script-code to a
users browser context.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a mailicious RSS feed
2. Make users subscribe to this feed using OX App Suite
Proof of concept:
<content></content>
<content type="tex/html"></content>
<content type="garbage"></content>
Solution:
In addition to the existing sanitizers, we added a frontend-level protection to
avoid plain-text to be executed as script code.
---
Internal reference: 58874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev5, 7.8.3-rev7, 7.6.3-rev4
Vendor notification: 2018-06-05
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12609
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Details:
Using specific XML tags within Powerpoint presentations can be used to trigger
network requests on the server side while converting the document.
Risk:
Internal network endpoints can be accessed and their default response is being
exposed to the attacker. Attackers can use timing attacks and response
information to discover valid network services for reconnaissance.
Steps to reproduce:
1. Create a mailicous PPTX file
2. Upload this file to OX App Suite
3. Trigger a document preview on the file
Proof of concept:
<Relationship
TargetMode="External"
Target="http://localhost:8008/documentconverterws?action=convert&url=http://localhost:8008/documentconverterws&targetformat=png";
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image";
Id="rId3">
Solution:
In addition to blocking file-system level access, we're now blocking all kinds
of external references when processing XML when convering documents.
---
Internal reference: 58282 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39
Vendor notification: 2017-04-25
Solution date: 2018-06-25
Public disclosure: 2018-31-12
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
A API endpoint meant for monitoring purposes can be used to reflect HTTP
headers and by that script code. To exploit this, the user needs to follow a
hyperlink on a malicious website.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Upload and share a snippet of bare JS code (no tags) to OX App Suite
2. Create a malicious website that redirects to "TestServlet"
3. Make the user follow a hyperlink that contains script code as URL parameter
4. The URL parameters content will be reflected as "referer" header by
"TestServlet"
Proof of concept:
https://www.example.com/referer.html?<script/src=/appsuite/api/files/alert.json?action=document&folder=10&id=10%2F215&delivery=view></script/>
Solution:
We removed any reflected HTTP headers from TestServlet.
---
Internal reference: 58256 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39
Vendor notification: 2018-04-24
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Font prefix information can bypass our sanitizers and returned as HTML content
when using specific combinations of brackets and quotes.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a HTML mail with malicious content like images with font parameters
applied through CSS
2. Make a App Suite user open that mail
Proof of concept:
<p><img src=x style=font:"'onerror='{font:alert(document.cookie)}></p>
<p><img src=x style=font:"'onerror=alert(document.cookie),{></p>
Solution:
We now block font prefix information in case malformed font attributes are
detected.
---
Internal reference: 58226 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33
Vendor notification: 2018-04-20
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
A URL parameter can be used to inject fake "themes" to user settings. If a
users follows such a malicious link, script code is being executed.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a hyperlink containing the "theme" parameter, which refers to a URL
containing script code
2. Make a user follow this link
Proof of concept:
https://example.com/appsuite/#!!&app=io.ox/files&folder=9&theme=../../../0%22%2Balert(document.cookie)%2B%22
Solution:
We added frontend sanitization to this kind of parameters as they are not
processed by our sanitizers.
--
Internal reference: 58161 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev43
Vendor notification: 2018-04-16
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
The "forgot password" link shown at the login page can be modified by using URL
parameters. In case users are following forged links, script code can be
injected there.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a hyperlink containing the "forgot-password" parameter, which refers
to a script code using URI scheme
2. Make a user follow this link
Proof of concept:
https://example.com/appsuite/#!!&forgot-password=javascript:alert(1)
Solution:
We removed usage of this URL parameter so it will not be reflected anymore.
--
Internal reference: 58096 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33
Vendor notification: 2018-04-11
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
HTML mails can contain "mailto:"; hyperlinks with body parameters that make
TinyMCE create E-Mails with HTML elements. These elements can contain script
code which is being executed if the user interacts with those elements.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a HTML mail with a hyperlink that points to a mailto: resource and
contains script code
2. Make a user follow this link and then click the injected HTML element
Proof of concept:
mailto:aaa?body=%3Cselect%20onchange%3D%22alert(document.cookie)%22%3E%3Coption%3E2%3C%2Foption%3E%3Coption%3E2%3C%2Foption%3E%3C%2Fselect%3E
Solution:
We now sanitize HTML content which gets pasted to the HTML editor through
"mailto:"; links.
--
Internal reference: 58051 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49
Vendor notification: 2018-04-09
Solution date: 2018-06-25
Public disclosure: 2018-12-31
CVE reference: CVE-2018-12610
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
People which get access to (public) sharing links are able to request the share
owners E-Mail address, even though its not required to make sharing work.
Risk:
Semi-confidential information is being exposed unexpectedly to external
entities. This can be used to run targetted spam and malware attacks.
Steps to reproduce:
1. Create a share of files, calendar etc. and forward this link to the public
or another person
2. Open the share link and run a "list" call of the user API and iterate
through user IDs
Proof of concept:
PUT
/appsuite/api/user?action=list&columns=1%2C20%2C500%2C501%2C502%2C505%2C524%2C555%2C606%2C614&session=xxx
[3]
<!DOCTYPE html><html><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><script type="text/javascript">(parent["callback_yell"] ||
window.opener &&
window.opener["callback_yell"])({"data":[[6,6,"useruser\"><img>,
=8*8","=8*8","useruser\"><img>",null,6,"user@xxxxxxxxxxx",null,-1,null]],"timestamp":1523086065259})</script></head></html>
Solution:
We removeed user e-mail addresses when responding to API calls triggered by
(anonymous) guests.
--
Internal reference: 58029 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49
Vendor notification: 2018-04-06
Solution date: 2018-06-25
Public disclosure: 2018-12-31
CVE reference: CVE-2018-12610
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
In case sessions to access shares are active they will not be terminated in
case the owner of the share modifies the shares pasword or lifetime.
Risk:
Existing user sessions have access to shares which security level has been
upgraded or which are not meant to be accessible by the previous set of users.
Steps to reproduce:
1. Open or login to a share
2. As owner of the share, modify the shares password
3. Use the API to request shared data using the previously authenticated session
Proof of concept:
https://example.com/appsuite/api/files?action=zipfolder&folder=851&recursive=true&session=xxx
Solution:
We now terminate all active sessions for guests that have access to a share in
case that shares password was modified.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/