Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 59653 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13
Vendor notification: 2018-07-31
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Gamal negm eldin
CVE reference: CVE-2018-13104
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Attachment file names in mail can be used to inject script code, in case the
victim uses "mouse over" on the attachment.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a malicious multipart HTML E-Mail
2. Make the recipient to expand the "attachments" area and mouse-over the
attachment
Proof of concept:
------=_Part_361_1510656222.1533025735063
Content-Type: image/svg+xml; name="<u onmouseover=alert(1)>w"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="<u onmouseover=alert(1)>w"
Solution:
We made sure to use the actual text node as label to avoid injecting DOM nodes.
---
Internal reference: 59507 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34
Vendor notification: 2018-07-25
Solution date: 2018-08-16
Public disclosure: 2019-01-18
Researcher Credits: Zhihua Yao (chihuahua)
CVE reference: CVE-2018-13104
CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
File names of attachments of PIM objects (appointments, contacts, tasks) can be
used to inject script code. Sharing such objects with other users allows to
attack them. This requires both a trust relationship between those users - or
both have to be provisioned to the same context.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a PIM object, like an appointment
2. Upload a attachment with malicious file name
3. Make the victim open the object in detail view
Proof of concept:
"><img src=x onerror=alert(document.domain)>.jpg
Solution:
We transformed file names to text nodes before adding them to DOM.
---
Internal reference: 58742 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2018-05-24
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Specific URL parameters can be used to circumvent handling of potentially
malicious files. Usually we force the user agent to download such files instead
of eventually opening them.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a malicious HTML file and upload it to Drive
2. Modify the file type to "application/xml" or "application/xhtml+xml" to
trigger UA content guessing
3. Create a link to download that file and use the content_disposition=inline
parameter
4. Share the link with some other user of the system, or a guest and make them
open it
Proof of concept:
https://example.com/appsuite/api/files/html-xml?action=document&folder=10&id=10%2F348&content_disposition=inline
Solution:
We now prefer server-side content-disposition defaults over client-side
parameters when dealing with attachments.
---
Internal reference: 56457 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-11
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Data with references to external content, like images of a contact imported as
vcard, can be used to force redirects to local, restricted or internal network
addresses.
Risk:
This can be used to perform port scanning to prepare future attacks and gain
information about the target system.
Steps to reproduce:
1. Create a malicious vcard file, including a remote location for the "PHOTO"
attribute
2. Configure the provided host in a way that it responds with HTTP 30X
redirects to internal hosts
3. Upload the vcard file to the App Suite system, monitor the runtime and
response code
Proof of concept:
PHOTO;VALUE=URI;TYPE=GIF:http://testserver65.com:70/test.jpeg
Solution:
We no longer follow HTTP redirects pointing to local or network-internal
locations.
---
Internal reference: 56558 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.3 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-19
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
IP black-lists can be circumvented by using non-decimal representation of IP
addresses.
Risk:
This can be used to perform port scanning, host discovery and content retrieval
to prepare future attacks and gain information about the target system.
Steps to reproduce:
1. Create content with external references, for example a RSS feed
2. Use octal or hexadecimal representation of IP addresses (8, 16, 24 or 32bit)
Proof of concept:
Octal:
http://017700000001/foo.xml
Hex:
http://0x7f000001/foo.xml
Decimal:
http://2130706433/foo.xml
Solution:
We now properly detect octal and hexadecimal IP address representations
---
Internal reference: 56406 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev40
Vendor notification: 2017-12-06
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Content of mails added to Portal are being executed as script code. This way
malicious code within mails can get stored persistently.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a E-Mail with malicious script code
2. Make a user add this E-Mail to the Portal
Proof of concept:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<p style="" class="default-style"><img src="x"
onerror="alert(document.cookie);"></p>
</body>
</html>
Solution:
We adjusted "unescaping" of mail content at the frontend side.
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/