lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 17 Jan 2019 10:09:43 +0100
From: Open-Xchange GmbH <martin.heiland.lists@...n-xchange.com>
To: fulldisclosure@...lists.org
Subject: [FD] Open-Xchange Security Advisory 2019-01-18

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH




Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 59653 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13
Vendor notification: 2018-07-31
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Gamal negm eldin
CVE reference: CVE-2018-13104
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Attachment file names in mail can be used to inject script code, in case the victim uses "mouse over" on the attachment.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a malicious multipart HTML E-Mail
2. Make the recipient to expand the "attachments" area and mouse-over the attachment

Proof of concept:
------=_Part_361_1510656222.1533025735063
Content-Type: image/svg+xml; name="<u onmouseover=alert(1)>w"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="<u onmouseover=alert(1)>w"


Solution:
We made sure to use the actual text node as label to avoid injecting DOM nodes.


---


Internal reference: 59507 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34
Vendor notification: 2018-07-25
Solution date: 2018-08-16
Public disclosure: 2019-01-18
Researcher Credits: Zhihua Yao (chihuahua)
CVE reference: CVE-2018-13104
CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
File names of attachments of PIM objects (appointments, contacts, tasks) can be used to inject script code. Sharing such objects with other users allows to attack them. This requires both a trust relationship between those users - or both have to be provisioned to the same context.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a PIM object, like an appointment
2. Upload a attachment with malicious file name
3. Make the victim open the object in detail view

Proof of concept:
"><img src=x onerror=alert(document.domain)>.jpg

Solution:
We transformed file names to text nodes before adding them to DOM.


---


Internal reference: 58742 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2018-05-24
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Specific URL parameters can be used to circumvent handling of potentially malicious files. Usually we force the user agent to download such files instead of eventually opening them.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a malicious HTML file and upload it to Drive
2. Modify the file type to "application/xml" or "application/xhtml+xml" to trigger UA content guessing
3. Create a link to download that file and use the content_disposition=inline parameter
4. Share the link with some other user of the system, or a guest and make them open it

Proof of concept:
https://example.com/appsuite/api/files/html-xml?action=document&folder=10&id=10%2F348&content_disposition=inline

Solution:
We now prefer server-side content-disposition defaults over client-side parameters when dealing with attachments.


---


Internal reference: 56457 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-11
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Data with references to external content, like images of a contact imported as vcard, can be used to force redirects to local, restricted or internal network addresses.

Risk:
This can be used to perform port scanning to prepare future attacks and gain information about the target system.

Steps to reproduce:
1. Create a malicious vcard file, including a remote location for the "PHOTO" attribute
2. Configure the provided host in a way that it responds with HTTP 30X redirects to internal hosts
3. Upload the vcard file to the App Suite system, monitor the runtime and response code

Proof of concept:
PHOTO;VALUE=URI;TYPE=GIF:http://testserver65.com:70/test.jpeg

Solution:
We no longer follow HTTP redirects pointing to local or network-internal locations.


---


Internal reference: 56558 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.3 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-19
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
IP black-lists can be circumvented by using non-decimal representation of IP addresses.

Risk:
This can be used to perform port scanning, host discovery and content retrieval to prepare future attacks and gain information about the target system.

Steps to reproduce:
1. Create content with external references, for example a RSS feed
2. Use octal or hexadecimal representation of IP addresses (8, 16, 24 or 32bit)

Proof of concept:
Octal:
http://017700000001/foo.xml

Hex:
http://0x7f000001/foo.xml

Decimal:
http://2130706433/foo.xml

Solution:
We now properly detect octal and hexadecimal IP address representations


---


Internal reference: 56406 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev40
Vendor notification: 2017-12-06
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Content of mails added to Portal are being executed as script code. This way malicious code within mails can get stored persistently.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a E-Mail with malicious script code
2. Make a user add this E-Mail to the Portal

Proof of concept:
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
</head>
<body>
<p style="" class="default-style">&#60;img src=&#34;x&#34; onerror=&#34;alert(document.cookie);&#34;&#62;</p>
</body>
</html>

Solution:
We adjusted "unescaping" of mail content at the frontend side.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists