Ox App Suite 7.8.4 / 7.8.3 XSS / CSRF / Information Disclosure

2019.01.08
Credit: Secator
Risk: Medium
Local: No
Remote: Yes

Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 58880 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and 7.8.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev49 Vendor notification: 2018-06-05 Solution date: 2018-06-25 Public disclosure: 2018-12-31 Researcher Credits: Secator CVE reference: CVE-2018-12611 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Unexpected "type" parameters of the "content" XML tag can be used to bypass our content sanitizer. In case users added malicious RSS feeds to OX App Suite or a legit RSS feed got taken over, this can be used to inject script-code to a users browser context. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a mailicious RSS feed 2. Make users subscribe to this feed using OX App Suite Proof of concept: <content></content> <content type="tex/html"></content> <content type="garbage"></content> Solution: In addition to the existing sanitizers, we added a frontend-level protection to avoid plain-text to be executed as script code. --- Internal reference: 58874 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.8.4 and earlier Vulnerable component: documentconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev5, 7.8.3-rev7, 7.6.3-rev4 Vendor notification: 2018-06-05 Solution date: 2018-06-25 Public disclosure: 2018-12-31 Researcher Credits: Secator CVE reference: CVE-2018-12609 CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Vulnerability Details: Using specific XML tags within Powerpoint presentations can be used to trigger network requests on the server side while converting the document. Risk: Internal network endpoints can be accessed and their default response is being exposed to the attacker. Attackers can use timing attacks and response information to discover valid network services for reconnaissance. Steps to reproduce: 1. Create a mailicous PPTX file 2. Upload this file to OX App Suite 3. Trigger a document preview on the file Proof of concept: <Relationship TargetMode="External" Target="http://localhost:8008/documentconverterws?action=convert&amp;url=http://localhost:8008/documentconverterws&amp;targetformat=png" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId3"> Solution: In addition to blocking file-system level access, we're now blocking all kinds of external references when processing XML when convering documents. --- Internal reference: 58282 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39 Vendor notification: 2017-04-25 Solution date: 2018-06-25 Public disclosure: 2018-31-12 Researcher Credits: Secator CVE reference: CVE-2018-12611 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: A API endpoint meant for monitoring purposes can be used to reflect HTTP headers and by that script code. To exploit this, the user needs to follow a hyperlink on a malicious website. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Upload and share a snippet of bare JS code (no tags) to OX App Suite 2. Create a malicious website that redirects to "TestServlet" 3. Make the user follow a hyperlink that contains script code as URL parameter 4. The URL parameters content will be reflected as "referer" header by "TestServlet" Proof of concept: https://www.example.com/referer.html?<script/src=/appsuite/api/files/alert.json?action=document&folder=10&id=10%2F215&delivery=view></script/> Solution: We removed any reflected HTTP headers from TestServlet. --- Internal reference: 58256 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39 Vendor notification: 2018-04-24 Solution date: 2018-06-25 Public disclosure: 2018-12-31 Researcher Credits: Secator CVE reference: CVE-2018-12611 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Font prefix information can bypass our sanitizers and returned as HTML content when using specific combinations of brackets and quotes. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a HTML mail with malicious content like images with font parameters applied through CSS 2. Make a App Suite user open that mail Proof of concept: <p><img src=x style=font:"'onerror='{font:alert(document.cookie)}></p> <p><img src=x style=font:"'onerror=alert(document.cookie),{></p> Solution: We now block font prefix information in case malformed font attributes are detected. --- Internal reference: 58226 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33 Vendor notification: 2018-04-20 Solution date: 2018-06-25 Public disclosure: 2018-12-31 Researcher Credits: Secator CVE reference: CVE-2018-12611 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: A URL parameter can be used to inject fake "themes" to user settings. If a users follows such a malicious link, script code is being executed. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a hyperlink containing the "theme" parameter, which refers to a URL containing script code 2. Make a user follow this link Proof of concept: https://example.com/appsuite/#!!&app=io.ox/files&folder=9&theme=../../../0%22%2Balert(document.cookie)%2B%22 Solution: We added frontend sanitization to this kind of parameters as they are not processed by our sanitizers. -- Internal reference: 58161 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and 7.8.3 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev43 Vendor notification: 2018-04-16 Solution date: 2018-06-25 Public disclosure: 2018-12-31 Researcher Credits: Secator CVE reference: CVE-2018-12611 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The "forgot password" link shown at the login page can be modified by using URL parameters. In case users are following forged links, script code can be injected there. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a hyperlink containing the "forgot-password" parameter, which refers to a script code using URI scheme 2. Make a user follow this link Proof of concept: https://example.com/appsuite/#!!&forgot-password=javascript:alert(1) Solution: We removed usage of this URL parameter so it will not be reflected anymore. -- Internal reference: 58096 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.8.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33 Vendor notification: 2018-04-11 Solution date: 2018-06-25 Public disclosure: 2018-12-31 Researcher Credits: Secator CVE reference: CVE-2018-12611 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML mails can contain "mailto:" hyperlinks with body parameters that make TinyMCE create E-Mails with HTML elements. These elements can contain script code which is being executed if the user interacts with those elements. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create a HTML mail with a hyperlink that points to a mailto: resource and contains script code 2. Make a user follow this link and then click the injected HTML element Proof of concept: mailto:aaa?body=%3Cselect%20onchange%3D%22alert(document.cookie)%22%3E%3Coption%3E2%3C%2Foption%3E%3Coption%3E2%3C%2Foption%3E%3C%2Fselect%3E Solution: We now sanitize HTML content which gets pasted to the HTML editor through "mailto:" links. -- Internal reference: 58051 (Bug ID) Vulnerability type: Information Exposure (CWE-200) Vulnerable version: 7.8.4 and 7.8.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev49 Vendor notification: 2018-04-09 Solution date: 2018-06-25 Public disclosure: 2018-12-31 CVE reference: CVE-2018-12610 CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: People which get access to (public) sharing links are able to request the share owners E-Mail address, even though its not required to make sharing work. Risk: Semi-confidential information is being exposed unexpectedly to external entities. This can be used to run targetted spam and malware attacks. Steps to reproduce: 1. Create a share of files, calendar etc. and forward this link to the public or another person 2. Open the share link and run a "list" call of the user API and iterate through user IDs Proof of concept: PUT /appsuite/api/user?action=list&columns=1%2C20%2C500%2C501%2C502%2C505%2C524%2C555%2C606%2C614&session=xxx [3] <!DOCTYPE html><html><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><script type="text/javascript">(parent["callback_yell"] || window.opener && window.opener["callback_yell"])({"data":[[6,6,"useruser\"><img>, =8*8","=8*8","useruser\"><img>",null,6,"user@example.com",null,-1,null]],"timestamp":1523086065259})</script></head></html> Solution: We removeed user e-mail addresses when responding to API calls triggered by (anonymous) guests. -- Internal reference: 58029 (Bug ID) Vulnerability type: Information Exposure (CWE-200) Vulnerable version: 7.8.4 and 7.8.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev34, 7.8.3-rev49 Vendor notification: 2018-04-06 Solution date: 2018-06-25 Public disclosure: 2018-12-31 CVE reference: CVE-2018-12610 CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: In case sessions to access shares are active they will not be terminated in case the owner of the share modifies the shares pasword or lifetime. Risk: Existing user sessions have access to shares which security level has been upgraded or which are not meant to be accessible by the previous set of users. Steps to reproduce: 1. Open or login to a share 2. As owner of the share, modify the shares password 3. Use the API to request shared data using the previously authenticated session Proof of concept: https://example.com/appsuite/api/files?action=zipfolder&folder=851&recursive=true&session=xxx Solution: We now terminate all active sessions for guests that have access to a share in case that shares password was modified.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top