Open-Xchange 7.6.0 XSS / SSRF / Traversal

2014.09.16
Risk: Medium
Local: No
Remote: Yes

Product: OX App Suite Vendor: Open-Xchange GmbH Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.6.0 and earlier Vulnerable component: frontend Fixed version: 7.4.2-rev33, 7.6.0-rev16 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-19 Solution date: 2014-08-26 Public disclosure: 2013-09-15 CVE reference: CVE-2014-5235 OX bug reference: 33620 CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: CDATA encapsulated script code within certain fields of a RSS feeds gets executed by the frontend. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Solution: RSS feeds now get sanitized more carefully. Users should update to the latest patch releases. Users should avoid integrating untrusted or suspicious RSS feeds. Vulnerability type: Absolute Path Traversal (CWE-36) Vulnerable version: 7.6.0 and earlier Vulnerable component: documentconverter Fixed version: 7.4.2-rev10, 7.6.0-rev10 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-31 Solution date: 2014-08-26 Public disclosure: 2013-09-15 CVE reference: CVE-2014-5236 OX bug reference: 33834 Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: Crafted OLE Objects within OpenDocument Text files can be used to reference objects with absolute or relative paths. By using further modifications to the documents XML structure, existing security functions of the LibreOffice backend get bypassed. As a result, the referenced file gets included from the servers file system. Risk: Attackers may read configuration files located at the server where documentconverter is deployed. Since documentconverter runs with reduced permissions, this is valid for all files that can be read by the user group "open-xchange". Solution: A black- and whitelist has been introduced to control file access. Users should update to the latest patch releases. Vulnerability type: Absolute Path Traversal (CWE-36) Vulnerable version: 7.6.0 and earlier Vulnerable component: documentconverter Fixed version: 7.4.2-rev10, 7.6.0-rev10 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-31 Solution date: 2014-08-26 Public disclosure: 2013-09-15 CVE reference: CVE-2014-5236 OX bug reference: 33835 Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: Crafted images within OpenDocument Text files can be used to reference objects with absolute or relative paths. As a result, the referenced file gets included from the servers file system. Risk: If an attacker knows the correct path to image files at the server where documentconverter is deployed, those can be made available to the attacker. Usually no security-related images are stored within deployments. Content of the OX Drive storage could be referenced but since the storage is separated to context- and user-bucket specific, hashed paths, it's unlikely for an attacker to successfully referencing such files. Including many files may pose a risk of denial-of-service attacks, though. Solution: A black- and whitelist has been introduced to control file access. Users should update to the latest patch releases. Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.6.0 and earlier Vulnerable component: documentconverter Fixed version: 7.4.2-rev10, 7.6.0-rev10 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-31 Solution date: 2014-08-26 Public disclosure: 2013-09-15 CVE reference: CVE-2014-5237 OX bug reference: 33836 Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting CVSSv2: 4.4 (AV:N/AC:L/Au:M/C:P/I:N/A:N/E:F/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND) Vulnerability Details: Text documents allow embedding remote images, based on URLs provided by the document creator. When editing such a document within OX Text, the image gets requested by the users client, which is fine. However, when rendering previews of such images, the file gets requested by the server, introducing a SSRF attack vector. Risk: Malicious documents could be used to fetch lots of images from a specific host, leading to denial-of-service attacks. Also, content may get fetched from legally questionable sources, potentially putting the operator of the documentconverter into legal trouble. Solution: Outbound traffic of a documentconverter deployment should be controlled on a network level, if an operator does not wish to let users include external resources and use them when generating document previews. Users should update to the latest patch releases. A new black- and whitelist has been introduced to control access to remote resources. Vulnerability type: Improper Restriction of Recursive Entity References in DTDs (CWE-776) Vulnerable version: 7.6.0 and earlier Vulnerable component: office Fixed version: 7.4.2-rev11, 7.6.0-rev9 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-31 Solution date: 2014-08-26 Public disclosure: 2013-09-15 CVE reference: CVE-2014-5238 OX bug reference: 33838 Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: Since OpenDocument Text documents are XML files, external entities may get included to these files. The XML parser tries to resolve these external entities by expanding them (XEE), for example including files or running specific XML parser functions. There are several attack vectors, for example including local files from the OX Text deployment or creating malicious documents that use exponential entity expansion (XEEE). Such exponential entities can be used to create huge documents based on very few lines of XML code. Risk: By using an XEE attack, introducing the XML "SYSTEM" entity and absolute or relative paths, the referenced file gets included from the servers file system. As a result, the whole file is visible at the OX Text editor. XEEE attacks can be used to run denial-of-service attacks to the deployment by creating vastly complex XML files that take a lot of time to process. Solution: DOCTYPE within ODT files is now forbidden and therefor external or special entities cannot get included anymore. Users should update to the latest patch releases. Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.6.0 and earlier Vulnerable component: backend Fixed version: 7.4.2-rev33, 7.6.0-rev16 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-31 Solution date: 2014-08-26 Public disclosure: 2013-09-15 CVE reference: CVE-2014-5234 OX bug reference: 33839 Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: Arbitrary script code can be used as folder publication name, leading to code execution at clients that display such publications. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Solution: Publications now get sanitized more carefully. Users should update to the latest patch releases.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top