Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 64680 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-09
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11521
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Vulnerability Details:
Appointment titles are rendered as hyperlink but were missing a protection
against "tab nabbing".
Risk:
When following a hyperlink to a malicious website, the original tab location
(OX App Suite) could be replaced with a URL chosen by the attacker. This can be
exploited to trick users to re-enter credentials to a seemingly legitimate
website and as a result take over accounts.
Steps to reproduce:
1. Create a appointment invitation that contains a link to a malicious website
including a blank "target" attribute
2. Make the user accept the invitation and click the hyperlink at the
appointments title
3. Provide a effective exploit to overwrite the users original URL and fake a
login page
Proof of concept:
Appointment title content:
<a href="//www.evil.com/window.html" target="_blank">Click Me! :-)
Payload:
<script>
window.opener.location.replace('//www.evil-fakelogin.com/');
</script>
Solution:
We extended the usage of existing protection mechanisms (blankshield) to this
case.
---
Internal reference: 64682 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
When replying to a HTML E-Mail with specific payload, that payload could be
executed as script code. The user would have to have HTML composing enabled to
exploit this vulnerability. This vulnerability could happen as browsers
incorrectly "fix" HTML content as demonstrated by @kinugawamasato for Google
Search.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create an E-Mail with malicious content and deliver it to the user
2. Make the user "reply" to the E-Mail
Proof of concept:
Test
<noscript><p class="xss">Another XSS!
<!-- --!
> <img src=x onerror=alert(document.domain)>
Solution:
We improved our filter and whitelisting mechanisms to block this kind of code
from entering the browsers rendering engine.
---
Internal reference: 64703 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
When opening a embedded HTML E-Mail, sanitization mechanisms were not active.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create an E-Mail with malicious content and embed/attach it to another E-Mail
2. Make the user open to embedded E-Mail using OX App Suites "View" feature
Proof of concept:
<img src=x onerror=alert(document.domain)>
Solution:
We now use existing filtering mechanisms when processing embedded or attached
E-Mail.
---
Affected product: OX App Suite
Internal reference: 62465 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.6.3 and later
Vulnerable component: driverestricted, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (driverestricted): 7.6.3-rev4, 7.8.3-rev8, 7.8.4-rev6,
7.10.0-rev5, 7.10.1-rev4
Fixed version (backend): 7.6.3-rev46, 7.8.3-rev56, 7.8.4-rev52, 7.10.0-rev31,
7.10.1-rev12
Vendor notification: 2019-01-14
Solution date: 2019-05-13
Public disclosure: 2019-08-15
CVE reference: CVE-2019-11806
CVSS: 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Bundles that contain private keys and passwords for OX Drive related push
services were deployed without proper file-system permissions. We also fixed
default file-system permissions for related configuration files that
potentially contain passwords set by the operator.
Risk:
A user with non privileged system-level access could access and extract the
bundles (JAR files) and analyze their byte-code. From that its possible to
extract both the private key for APN certificates as well as their encryption
password and GCM key/secret pairs. Extracting this does not open a specific
attack vector but we consider the information confidential and our handling did
not adhere to our standards with that kind of information.
Steps to reproduce:
1. Use a non privileged user account to access an OX App Suite Middleware
machine
2. Check file permissions for "driverestricted" bundles that contain secret
keys and passwords
Solution:
We updated file-system level permissions for such bundles and configuration
files.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
