[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2019-04-01
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-04-01 8:13:07
Message-ID: 2E0B6D2F-9BE1-459F-8007-13BC834A08B9 () open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone =
who contributed in finding and solving those vulnerabilities. Feel free =
to join our bug bounty programs (appsuite, dovecot, powerdns) at =
HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 61771 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.10.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed Version: 7.6.3-rev44, 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, =
7.10.1-rev7
Vendor notification: 2018-11-23
Solution date: 2019-02-13
Public disclosure: 2019-04-01
CVE reference: CVE-2019-7159
CVSS: 4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Details:
The "oxsysreport" tool failed to sanitized custom configuration =
parameters that could contain credentials like API keys.
Risk:
Unintended configuration information has been collected and potentially =
sent to OX for further analysis. This transmission would happen through =
secure channels and to authorized personell. We have no indication that =
data was used illegitimately.
Steps to reproduce:
1. Have configuration properties that don't match the expected format =
(e.g. commented out, custom key format)
2. Run oxsysreport and check what parameters have been sanitized
Solution:
We made sure to remove all incorrectly collected information and removed =
backups thereof. To solve the root cause, the oxsysreport tool has been =
updated to deal with other patterns of properties.
---
Internal reference: 61315 (Bug ID)
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 7.10.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed Version: 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7
Vendor notification: 2018-11-06
Solution date: 2019-02-13
Public disclosure: 2019-04-01
CVE reference: CVE-2019-7158
CVSS: 4.2 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Details:
In case users did chose not to "stay signed in" or the operator disabled =
that functionality, cookies are maintained for a "session" lifetime to =
make sure they expire after the browser session has ended. Using =
"reload" on the existing browser session led to the impression that the =
session is already terminated as the login screen would be shown =
afterwards. However, those cookies are maintained by the browser for the =
remainder of the session until termination of the browser tab or window.
Risk:
Users could get the incorrect impression that their session has been =
terminated after reloading the browser window. In fact, the credentials =
for authentication (cookies) were maintained and other users with =
physical access to the browser could re-use them to execute API calls =
and access other users data.
Steps to reproduce:
1. Login with "Stay signed in" disabled
2. Reload the browser
3. Check which cookies are maintained while the "login" page is =
displayed
Solution:
We now drop the session associated with existent secret cookie on =
server-side in case a new login is performed and thus a new secret =
cookie is about to be written.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/DJIVnUkbbTwb+C5luURj3jLBMcFAlyhyBMACgkQluURj3jL
BMfGTBAA0pgDnfcZnfBIqbm5mGH61pMbNoGnKkcnMfknLo4vd4EfhAsGHtp308NJ
knnoC3tS88f4DovdP+HINEk8oHew18lVJPrjXKBBQRBH4exZC40rin3CRHDogFV8
GXrt30CRbGIPW3IeLGplZW5i32kwuauhj+l8uLx4n2jBdTi+RzrJTsHslitptqxj
oUAVIARTm30Edym9lvg6QZj05evIJoHbk+aaFWqaHFOLnTvv6UXaP+jgBTSTWdYd
BOz6NR1nHx+tIDUlW+5d8Uyd2pMDpJOyec6dj+eiGZnSJqNkCttho76XnISNhMc2
mRt3DOosj+Wzn6f5lTlA39mZlvnhnLvEufplQQWBh0A36UlmFP/K8Uc9to2Col4L
FMR5LORLHdHAVgdmXYmqlE3ysWZagDwhWxHgUrkx/0K4AUvQ2rDmr/x+/zBvSLeO
v7dW6iLsy2TT8CzX4XbSoms8JvooVVuU1ovThO+bmySPLKqqxeinWoN/v16viGzO
VwxHTWy8wmolXsftQXDLdGrFweZj59H+VMlzlIY+/iJ0C6thKwKo39fxrBdNcqGA
J11KBtQDw2yOKKYVfnxggD+r2xra+e/6ABgn9h0eX7qNXc+O/wYCPDrBP123WNTD
P1j5JpfDbnoest4SCfpJnpHDIdD5Go/GfsEDn+dTdlz1uUrhrzE=
=PD5s
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic