[<prev] [next>] [day] [month] [year] [list]
Message-ID: <452340435.1584.1647875434373@appsuite-dev-guard.open-xchange.com>
Date: Mon, 21 Mar 2022 16:10:34 +0100 (CET)
From: Martin Heiland via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Open-Xchange Security Advisory 2022-03-21
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: OXUIB-1092
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev26
Vendor notification: 2021-11-15
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44208
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vulnerability Details:
System messages at the OX Chat component are escaped to avoid injection of malicious code. However, this check is not performed for messages that are "unknown" to the system. Such messages do not occur during normal operations.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink or compromise of chat components.
Steps to reproduce:
1. Maliciously modify the chat infrastructure to inject "unknown" messages that contain script code
2. Make the victim connect to that infrastructure and request messages for their account
Solution:
We now sanitize "unknown" system messages, in case this scenario may ever happen in the wild.
---
Internal reference: MWB-1322
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-11-12
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44209
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Specific HTML5 tags and some attributes were not sufficiently considered when detecting malicious code thats being served as download.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Steps to reproduce:
1. Upload a HTML5 document with specific tags, set a HTML file extension but a misleading media-type
2. Share the file and make a victim click a hyperlink to that resource
Proof of concept:
<audio src="/appsuite/apps/themes/default/sounds/bell.ogg" onprogress="alert('XSS');" onsuspend="alert('XSS');" controls></audio>
Solution:
We improved HTML detection and examine a complete list of tags, attributes and event handlers.
---
Internal reference: MWB-1260
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-09-27
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44210
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Certain media formats (NIFF) in this case, were not detected to contain potentially harmful content. This can be exploited by an attacker by uploading malicious content in disguise. Some browsers will attempt to render NIFF sources as inline content.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Steps to reproduce:
1. Generate malicious JS/HTML content and upload it as NIFF image, change the media-type accordingly
2. Share that malicious code using "sharing"
3. Make a victim follow a link to the malicious share
Solution:
We now detect NIFF as potentially malicious content and force browsers to download it.
---
Internal reference: MWB-1259
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-09-27
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44211
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be tricked to generate malicious output by injecting seemingly benign garbled HTML code.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require some level of access to the victims account, context and pull off a social engineering attack.
Steps to reproduce:
1. Create a malicious E-Mail signature
2. Share and make a victim select that E-Mail signature
Proof of concept:
<img src class="src=cid:asd onerror=alert('XSS')//">
Solution:
We now check the HTML "class" attribute for potential malicious content for HTML E-Mail signatures.
---
Internal reference: MWB-1219
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-08-17
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44212
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Script tags at HTML content can be obfuscated by using trailing control commands to bypass existing sanitizers.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Steps to reproduce:
1. Create malicious script code and obfuscate HTML tags using control characters
2. Share the malicious code and make a victim click a link that points to this code
Proof of concept:
<script\t>alert("XSS");</script\t>
Solution:
We now improve detection of obfuscated HTML tags.
---
Internal reference: MWB-1216
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-08-13
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44213
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vulnerability Details:
Binary uu-encoded content at multipart/alternative E-Mails is processed as mail body without sanitization in certain cases.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this the victim needs to interact with the message.
Steps to reproduce:
1. Generate a malicious mail with binary unix-to-unix content and a specific header structure, add placeholder content to trigger the "Show entire message" feature
2. Send that E-Mail to the victim
3. As the victim, select the message and follow the "Show entire content" link
Proof of concept:
?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes <script>alert("XSS");</script>
Solution:
We now advertise uu-encoded E-Mail parts as file attachment rather than the mail body.
Download attachment "signature.asc" of type "application/pgp-signature" (822 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists