lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 7 Nov 2014 12:33:55 +0100 (CET)
From: Martin Heiland <martin.heiland@...n-xchange.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: Open-Xchange Security Advisory 2014-11-07

Product: OX App Suite
Vendor: Open-Xchange GmbH

Internal reference: 34765 (Bug ID)
Vulnerability type: SQL Injection (CWE-89)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Researcher credits: SoftScheck GmbH
Fixed version: 7.4.2-rev36, 7.6.0-rev23
Vendor notification: 2013-10-06
Solution date: 2014-10-08
Public disclosure: 2014-11-07
CVE reference: CVE-2014-7871
CVSSv2: 7.6 (AV:N/AC:M/Au:S/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
A SQL injection vulnerability has been identified at the "jslob" API call. Abusing the MySQL "ExtractValue" function allows execution of arbitrary SQL code by passing it through MySQLs XPath interpreter. 30 characters of the injected SQL queryies result are returned as an error message by the parser when failing to evaluate XPath. This issue affects MySQL 5.1 and later.

Risk:
Confidential data may get exposed to authenticated users (attackers). OX AppSuite user passwords are stored hashed and salted either using SHA1 or bcrypt, making it hard to gather plain-text passwords. However, other information like server configuration data, configuration files and database content could be extracted using this vulnerability. Even though the amount of returned data is limited to 30 characters for each request, this vulnerability can be used to subsequently gather more information by using scripts.

Steps to reproduce:
Forge a PUT request to the jslob api and escape the JSON structure, inject invalid XPath syntax and a piggy-back SQL query to the MySQL XPath interpreter. Bound to german law, we're not allowed to disclose exploit code that could be used to attack in-production systems.

Possible solutions:
Update to the latest available version of OX AppSuite/OX6 backend.
Configure a web application firewall to mitigate such requests.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ