Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.
Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 59653 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.0 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev13 Vendor notification: 2018-07-31 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: Gamal negm eldin CVE reference: CVE-2018-13104 CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Attachment file names in mail can be used to inject script code, in case the victim uses "mouse over" on the attachment. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a malicious multipart HTML E-Mail 2. Make the recipient to expand the "attachments" area and mouse-over the attachment Proof of concept: ------=_Part_361_1510656222.1533025735063 Content-Type: image/svg+xml; name="<u onmouseover=alert(1)>w" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="<u onmouseover=alert(1)>w" Solution: We made sure to use the actual text node as label to avoid injecting DOM nodes. --- Internal reference: 59507 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.0 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34 Vendor notification: 2018-07-25 Solution date: 2018-08-16 Public disclosure: 2019-01-18 Researcher Credits: Zhihua Yao (chihuahua) CVE reference: CVE-2018-13104 CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: File names of attachments of PIM objects (appointments, contacts, tasks) can be used to inject script code. Sharing such objects with other users allows to attack them. This requires both a trust relationship between those users - or both have to be provisioned to the same context. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a PIM object, like an appointment 2. Upload a attachment with malicious file name 3. Make the victim open the object in detail view Proof of concept: "><img src=x onerror=alert(document.domain)>.jpg Solution: We transformed file names to text nodes before adding them to DOM. --- Internal reference: 58742 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41 Vendor notification: 2018-05-24 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: Secator CVE reference: CVE-2018-13104 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Specific URL parameters can be used to circumvent handling of potentially malicious files. Usually we force the user agent to download such files instead of eventually opening them. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a malicious HTML file and upload it to Drive 2. Modify the file type to "application/xml" or "application/xhtml+xml" to trigger UA content guessing 3. Create a link to download that file and use the content_disposition=inline parameter 4. Share the link with some other user of the system, or a guest and make them open it Proof of concept: https://example.com/appsuite/api/files/html-xml?action=document&folder=10&id=10%2F348&content_disposition=inline Solution: We now prefer server-side content-disposition defaults over client-side parameters when dealing with attachments. --- Internal reference: 56457 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41 Vendor notification: 2017-12-11 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: stemcloud CVE reference: CVE-2018-13103 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Data with references to external content, like images of a contact imported as vcard, can be used to force redirects to local, restricted or internal network addresses. Risk: This can be used to perform port scanning to prepare future attacks and gain information about the target system. Steps to reproduce: 1. Create a malicious vcard file, including a remote location for the "PHOTO" attribute 2. Configure the provided host in a way that it responds with HTTP 30X redirects to internal hosts 3. Upload the vcard file to the App Suite system, monitor the runtime and response code Proof of concept: PHOTO;VALUE=URI;TYPE=GIF:http://testserver65.com:70/test.jpeg Solution: We no longer follow HTTP redirects pointing to local or network-internal locations. --- Internal reference: 56558 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.6.3 and 7.8.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.3-rev50, 7.6.3-rev41 Vendor notification: 2017-12-19 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: stemcloud CVE reference: CVE-2018-13103 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: IP black-lists can be circumvented by using non-decimal representation of IP addresses. Risk: This can be used to perform port scanning, host discovery and content retrieval to prepare future attacks and gain information about the target system. Steps to reproduce: 1. Create content with external references, for example a RSS feed 2. Use octal or hexadecimal representation of IP addresses (8, 16, 24 or 32bit) Proof of concept: Octal: http://017700000001/foo.xml Hex: http://0x7f000001/foo.xml Decimal: http://2130706433/foo.xml Solution: We now properly detect octal and hexadecimal IP address representations --- Internal reference: 56406 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev40 Vendor notification: 2017-12-06 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: Secator CVE reference: CVE-2018-13104 CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Content of mails added to Portal are being executed as script code. This way malicious code within mails can get stored persistently. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a E-Mail with malicious script code 2. Make a user add this E-Mail to the Portal Proof of concept: <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> </head> <body> <p style="" class="default-style"><img src="x" onerror="alert(document.cookie);"></p> </body> </html> Solution: We adjusted "unescaping" of mail content at the frontend side.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
