[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2019-08-15
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-08-15 8:03:40
Message-ID: 425282AE-4395-4F46-BF26-4AB6F8231D4A () open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, \
dovecot, powerdns) at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 65132 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev48, 7.8.4-rev59, 7.10.0-rev32, 7.10.1-rev14, 7.10.2-rev5
Vendor notification: 2019-05-09
Solution date: 2019-06-13
Public disclosure: 2019-08-15
CVE reference: CVE-2018-9997
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Curly brackets can be used to bypass XSS sanitization in HTML mail and other HTML attachments. \
A variation of the original issue has been found thats based on incorrect global eventhandler \
blacklist entries.
Risk:
Malicious script code can be executed within a users context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (sending mail, deleting data \
etc.).
Steps to reproduce:
1. Create a HTML mail with curly brackets that disguise event handlers in CSS
2. Make a App Suite user open the malicious mail
Proof of concept:
<div style=width:100%;height:10px;font:\"'/{/onMouseLeave=alert(1)//></div>
Solution:
We updated the list of blacklisted event handlers to close this bypass, operators may add a \
workaround by updating "globaleventhandlers.list" and change the incorrect handler \
"onmounseleave" to "onmouseleave".
--
Internal reference: 64992 (Bug ID)
Vulnerability type: Data validation fault (CWE-34)
Vulnerable version: 7.10.1 and earlier, 2.10.2 and earlier
Vulnerable component: guard, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (guard): 2.8.0-rev22, 2.10.1-rev7
Fixed version (backend): 7.8.4-rev59, 7.10.1-rev14
Vendor notification: 2019-05-03
Solution date: 2019-06-13
Public disclosure: 2019-08-15
Researcher Credits: Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian \
Schinzel, Juraj Somorovsky, and Jörg Schwenk CVE reference: CVE-2019-11521
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Internal evaluation revealed that OX Guard is vulnerable to a subset of techniques used to \
display a valid signature from the identity of a trusted communication partner located in the \
mail header, although the crafted email is actually signed by an attacker. Our discoveries are \
based on work of a team of researchers, publishing these spoofing techniques under the "Johnny \
You Are Fired" project name.
Risk:
Recipients of signed PGP mail could be fooled to assume the mail originates from a trusted \
source rather than an attacker. This would elevate the mails trust level and potentially ease \
social-engineering attacks.
Steps to reproduce:
1. Create mails that contain valid signatures but originate from a different source
Proof of concept:
https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id
Solution:
We improved validation and make sure mail with valid signatures is only evaluated to be \
"trusted" if the sender matches the signature issuer. We also extended our API to provide more \
information about a specific signature to let clients add checks and handle invalid signature \
information.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/DJIVnUkbbTwb+C5luURj3jLBMcFAl1VEdwACgkQluURj3jL
BMctuQ/+NAcmnkHrdeFWEtyhM2dZP+zgOtrByNMX3hpk8MEs3oxCwJ7SLUC8X5QX
ONgpbCYBz6fEgyOBI2CoiICTBDL+zf1rSFMi/lP2xMvra1cr70sQWn6aa3YFMxV2
pIMnvXZBHoxMQX28YByRI+u6B9qdpbr5i8U100/Lt/rqVRaZnqR1hKTgpWNpp9/J
eCQuNw3/+ddg8f+fKnOqrzGLhQYphMpAOyL4QhIUkHGxV1DSBeQbtuRCONV8V0I8
M78pqjxkKgwmTLK/mWNijZDRKGXC6tecNN+AImcRx0+/ZfRwoaTg7+kZ9WLYbKew
icvmkIke0oBnZzo2SSjwNCdf0TgdGrH+y0SdMI93fSTjaqNpSR2R28W2LRwdrnuD
0RJdaoUy+e4q6BVD1Gt49WtNnql+RNISwssfwGm7nwhbVAi5NpkAFWTaIfwQ6auS
k7IdVghQdJ2QlE4J2pjC+UW71c8exTkOIXCRqOSVaIS6712mdusnvfKuYkMRQJMx
WVokKtB93YdE9Ugb+jiAgWjtWsVthxuXMZn66qJEU4+Mb3tkDNc/j1pvx3R8wTx1
lYW83CDdID0pNWFZFXSPO5UyYiYaNedJEy5K3hpjPC/ADo87Jlurz3sj5jF1BGB2
/MdU+xOj5xOTdl+BMrxIlrFBvVhfXSqksjvT7lO0/RV1oYsb+AE=
=qI65
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic