Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 65132 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev48, 7.8.4-rev59, 7.10.0-rev32, 7.10.1-rev14, 7.10.2-rev5
Vendor notification: 2019-05-09
Solution date: 2019-06-13
Public disclosure: 2019-08-15
CVE reference: CVE-2018-9997
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Curly brackets can be used to bypass XSS sanitization in HTML mail and other
HTML attachments. A variation of the original issue has been found thats based
on incorrect global eventhandler blacklist entries.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create a HTML mail with curly brackets that disguise event handlers in CSS
2. Make a App Suite user open the malicious mail
Proof of concept:
<div style=width:100%;height:10px;font:\"'/{/onMouseLeave=alert(1)//></div>
Solution:
We updated the list of blacklisted event handlers to close this bypass,
operators may add a workaround by updating "globaleventhandlers.list" and
change the incorrect handler "onmounseleave" to "onmouseleave".
--
Internal reference: 64992 (Bug ID)
Vulnerability type: Data validation fault (CWE-34)
Vulnerable version: 7.10.1 and earlier, 2.10.2 and earlier
Vulnerable component: guard, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (guard): 2.8.0-rev22, 2.10.1-rev7
Fixed version (backend): 7.8.4-rev59, 7.10.1-rev14
Vendor notification: 2019-05-03
Solution date: 2019-06-13
Public disclosure: 2019-08-15
Researcher Credits: Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno
Böck, Sebastian Schinzel, Juraj Somorovsky, and Jörg Schwenk
CVE reference: CVE-2019-11521
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Internal evaluation revealed that OX Guard is vulnerable to a subset of
techniques used to display a valid signature from the identity of a trusted
communication partner located in the mail header, although the crafted email is
actually signed by an attacker. Our discoveries are based on work of a team of
researchers, publishing these spoofing techniques under the "Johnny You Are
Fired" project name.
Risk:
Recipients of signed PGP mail could be fooled to assume the mail originates
from a trusted source rather than an attacker. This would elevate the mails
trust level and potentially ease social-engineering attacks.
Steps to reproduce:
1. Create mails that contain valid signatures but originate from a different
source
Proof of concept:
https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id
Solution:
We improved validation and make sure mail with valid signatures is only
evaluated to be "trusted" if the sender matches the signature issuer. We also
extended our API to provide more information about a specific signature to let
clients add checks and handle invalid signature information.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
