Open-Xchange OX App Suite Content Spoofing / Cross Site Scripting

Open-Xchange OX App Suite suffers from a content spoofing, cross site scripting, and information disclosure vulnerabilities. Versions affected vary depending on the vulnerability.


MD5 | e4f984f70b4911993c1fb35b6018270a

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 64680 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-09
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11521
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Vulnerability Details:
Appointment titles are rendered as hyperlink but were missing a protection against "tab nabbing".

Risk:
When following a hyperlink to a malicious website, the original tab location (OX App Suite) could be replaced with a URL chosen by the attacker. This can be exploited to trick users to re-enter credentials to a seemingly legitimate website and as a result take over accounts.

Steps to reproduce:
1. Create a appointment invitation that contains a link to a malicious website including a blank "target" attribute
2. Make the user accept the invitation and click the hyperlink at the appointments title
3. Provide a effective exploit to overwrite the users original URL and fake a login page

Proof of concept:
Appointment title content:
<a href="//www.evil.com/window.html" target="_blank">Click Me! :-)

Payload:
<script>
window.opener.location.replace('//www.evil-fakelogin.com/');
</script>


Solution:
We extended the usage of existing protection mechanisms (blankshield) to this case.


---


Internal reference: 64682 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
When replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly "fix" HTML content as demonstrated by @kinugawamasato for Google Search.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create an E-Mail with malicious content and deliver it to the user
2. Make the user "reply" to the E-Mail

Proof of concept:
Test
<noscript><p class="xss">Another XSS!
<!-- --!
> <img src=x onerror=alert(document.domain)>


Solution:
We improved our filter and whitelisting mechanisms to block this kind of code from entering the browsers rendering engine.


---


Internal reference: 64703 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
When opening a embedded HTML E-Mail, sanitization mechanisms were not active.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create an E-Mail with malicious content and embed/attach it to another E-Mail
2. Make the user open to embedded E-Mail using OX App Suites "View" feature

Proof of concept:
<img src=x onerror=alert(document.domain)>


Solution:
We now use existing filtering mechanisms when processing embedded or attached E-Mail.


---


Affected product: OX App Suite
Internal reference: 62465 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.6.3 and later
Vulnerable component: driverestricted, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (driverestricted): 7.6.3-rev4, 7.8.3-rev8, 7.8.4-rev6, 7.10.0-rev5, 7.10.1-rev4
Fixed version (backend): 7.6.3-rev46, 7.8.3-rev56, 7.8.4-rev52, 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-01-14
Solution date: 2019-05-13
Public disclosure: 2019-08-15
CVE reference: CVE-2019-11806
CVSS: 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Bundles that contain private keys and passwords for OX Drive related push services were deployed without proper file-system permissions. We also fixed default file-system permissions for related configuration files that potentially contain passwords set by the operator.

Risk:
A user with non privileged system-level access could access and extract the bundles (JAR files) and analyze their byte-code. From that its possible to extract both the private key for APN certificates as well as their encryption password and GCM key/secret pairs. Extracting this does not open a specific attack vector but we consider the information confidential and our handling did not adhere to our standards with that kind of information.

Steps to reproduce:
1. Use a non privileged user account to access an OX App Suite Middleware machine
2. Check file permissions for "driverestricted" bundles that contain secret keys and passwords

Solution:
We updated file-system level permissions for such bundles and configuration files.


Related Posts