Open-Xchange OX App Suite Cross Site Scripting / SSRF

Open-Xchange OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities. The vulnerabilities spawn a multitude of versions.


MD5 | 0f83a06f2870765960fa46b3d0ee12cc

Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 59653 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13
Vendor notification: 2018-07-31
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Gamal negm eldin
CVE reference: CVE-2018-13104
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Attachment file names in mail can be used to inject script code, in case the victim uses "mouse over" on the attachment.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a malicious multipart HTML E-Mail
2. Make the recipient to expand the "attachments" area and mouse-over the attachment

Proof of concept:
------=_Part_361_1510656222.1533025735063
Content-Type: image/svg+xml; name="<u onmouseover=alert(1)>w"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="<u onmouseover=alert(1)>w"


Solution:
We made sure to use the actual text node as label to avoid injecting DOM nodes.


---


Internal reference: 59507 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34
Vendor notification: 2018-07-25
Solution date: 2018-08-16
Public disclosure: 2019-01-18
Researcher Credits: Zhihua Yao (chihuahua)
CVE reference: CVE-2018-13104
CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
File names of attachments of PIM objects (appointments, contacts, tasks) can be used to inject script code. Sharing such objects with other users allows to attack them. This requires both a trust relationship between those users - or both have to be provisioned to the same context.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a PIM object, like an appointment
2. Upload a attachment with malicious file name
3. Make the victim open the object in detail view

Proof of concept:
"><img src=x onerror=alert(document.domain)>.jpg

Solution:
We transformed file names to text nodes before adding them to DOM.


---


Internal reference: 58742 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2018-05-24
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Specific URL parameters can be used to circumvent handling of potentially malicious files. Usually we force the user agent to download such files instead of eventually opening them.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a malicious HTML file and upload it to Drive
2. Modify the file type to "application/xml" or "application/xhtml+xml" to trigger UA content guessing
3. Create a link to download that file and use the content_disposition=inline parameter
4. Share the link with some other user of the system, or a guest and make them open it

Proof of concept:
https://example.com/appsuite/api/files/html-xml?action=document&folder=10&id=10%2F348&content_disposition=inline

Solution:
We now prefer server-side content-disposition defaults over client-side parameters when dealing with attachments.


---


Internal reference: 56457 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-11
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Data with references to external content, like images of a contact imported as vcard, can be used to force redirects to local, restricted or internal network addresses.

Risk:
This can be used to perform port scanning to prepare future attacks and gain information about the target system.

Steps to reproduce:
1. Create a malicious vcard file, including a remote location for the "PHOTO" attribute
2. Configure the provided host in a way that it responds with HTTP 30X redirects to internal hosts
3. Upload the vcard file to the App Suite system, monitor the runtime and response code

Proof of concept:
PHOTO;VALUE=URI;TYPE=GIF:http://testserver65.com:70/test.jpeg

Solution:
We no longer follow HTTP redirects pointing to local or network-internal locations.


---


Internal reference: 56558 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.3 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-19
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
IP black-lists can be circumvented by using non-decimal representation of IP addresses.

Risk:
This can be used to perform port scanning, host discovery and content retrieval to prepare future attacks and gain information about the target system.

Steps to reproduce:
1. Create content with external references, for example a RSS feed
2. Use octal or hexadecimal representation of IP addresses (8, 16, 24 or 32bit)

Proof of concept:
Octal:
http://017700000001/foo.xml

Hex:
http://0x7f000001/foo.xml

Decimal:
http://2130706433/foo.xml

Solution:
We now properly detect octal and hexadecimal IP address representations


---


Internal reference: 56406 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev40
Vendor notification: 2017-12-06
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Content of mails added to Portal are being executed as script code. This way malicious code within mails can get stored persistently.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a E-Mail with malicious script code
2. Make a user add this E-Mail to the Portal

Proof of concept:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<p style="" class="default-style"><img src="x" onerror="alert(document.cookie);"></p>
</body>
</html>

Solution:
We adjusted "unescaping" of mail content at the frontend side.


Related Posts