Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: OXUIB-1092
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev26
Vendor notification: 2021-11-15
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44208
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vulnerability Details:
System messages at the OX Chat component are escaped to avoid injection of
malicious code. However, this check is not performed for messages that are
"unknown" to the system. Such messages do not occur during normal operations.
Risk:
Malicious script code can be executed within the victims context. This can lead
to session hijacking or triggering unwanted actions via the web interface (e.g.
redirecting to a third-party site). To exploit this an attacker would require
the victim to follow a hyperlink or compromise of chat components.
Steps to reproduce:
1. Maliciously modify the chat infrastructure to inject "unknown" messages that
contain script code
2. Make the victim connect to that infrastructure and request messages for
their account
Solution:
We now sanitize "unknown" system messages, in case this scenario may ever
happen in the wild.
---
Internal reference: MWB-1322
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-11-12
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44209
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Specific HTML5 tags and some attributes were not sufficiently considered when
detecting malicious code thats being served as download.
Risk:
Malicious script code can be executed within the victims context. This can lead
to session hijacking or triggering unwanted actions via the web interface (e.g.
redirecting to a third-party site). To exploit this an attacker would require
the victim to follow a hyperlink.
Steps to reproduce:
1. Upload a HTML5 document with specific tags, set a HTML file extension but a
misleading media-type
2. Share the file and make a victim click a hyperlink to that resource
Proof of concept:
<audio src="/appsuite/apps/themes/default/sounds/bell.ogg"
onprogress="alert('XSS');" onsuspend="alert('XSS');" controls></audio>
Solution:
We improved HTML detection and examine a complete list of tags, attributes and
event handlers.
---
Internal reference: MWB-1260
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-09-27
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44210
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Certain media formats (NIFF) in this case, were not detected to contain
potentially harmful content. This can be exploited by an attacker by uploading
malicious content in disguise. Some browsers will attempt to render NIFF
sources as inline content.
Risk:
Malicious script code can be executed within the victims context. This can lead
to session hijacking or triggering unwanted actions via the web interface (e.g.
redirecting to a third-party site). To exploit this an attacker would require
the victim to follow a hyperlink.
Steps to reproduce:
1. Generate malicious JS/HTML content and upload it as NIFF image, change the
media-type accordingly
2. Share that malicious code using "sharing"
3. Make a victim follow a link to the malicious share
Solution:
We now detect NIFF as potentially malicious content and force browsers to
download it.
---
Internal reference: MWB-1259
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-09-27
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44211
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be
tricked to generate malicious output by injecting seemingly benign garbled HTML
code.
Risk:
Malicious script code can be executed within the victims context. This can lead
to session hijacking or triggering unwanted actions via the web interface (e.g.
redirecting to a third-party site). To exploit this an attacker would require
some level of access to the victims account, context and pull off a social
engineering attack.
Steps to reproduce:
1. Create a malicious E-Mail signature
2. Share and make a victim select that E-Mail signature
Proof of concept:
<img src class="src=cid:asd onerror=alert('XSS')//">
Solution:
We now check the HTML "class" attribute for potential malicious content for
HTML E-Mail signatures.
---
Internal reference: MWB-1219
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-08-17
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44212
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Script tags at HTML content can be obfuscated by using trailing control
commands to bypass existing sanitizers.
Risk:
Malicious script code can be executed within the victims context. This can lead
to session hijacking or triggering unwanted actions via the web interface (e.g.
redirecting to a third-party site). To exploit this an attacker would require
the victim to follow a hyperlink.
Steps to reproduce:
1. Create malicious script code and obfuscate HTML tags using control characters
2. Share the malicious code and make a victim click a link that points to this
code
Proof of concept:
<script\t>alert("XSS");</script\t>
Solution:
We now improve detection of obfuscated HTML tags.
---
Internal reference: MWB-1216
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-08-13
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44213
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vulnerability Details:
Binary uu-encoded content at multipart/alternative E-Mails is processed as mail
body without sanitization in certain cases.
Risk:
Malicious script code can be executed within the victims context. This can lead
to session hijacking or triggering unwanted actions via the web interface (e.g.
redirecting to a third-party site). To exploit this the victim needs to
interact with the message.
Steps to reproduce:
1. Generate a malicious mail with binary unix-to-unix content and a specific
header structure, add placeholder content to trigger the "Show entire message"
feature
2. Send that E-Mail to the victim
3. As the victim, select the message and follow the "Show entire content" link
Proof of concept:
?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes
<script>alert("XSS");</script>
Solution:
We now advertise uu-encoded E-Mail parts as file attachment rather than the
mail body.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/