[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2020-06-12
From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2020-06-12 8:07:37
Message-ID: EC6A1838-600B-428E-8CE2-2D8808282179 () open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite / OX Documents
Vendor: OX Software GmbH
Internal reference: 68441, 68453, 68454 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend, office documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7
Vendor notification: 2019-11-29
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2019-18846, CVE-2020-8544
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Our blacklisting restrictions for various APIs have flaws that allow attackers to bypass \
certain checks by using "smart" endpoints. In detail, the check if a URL is blacklisted was \
triggered independently from accessing the actual resource. Malicious endpoints with knowledge \
about application state could abuse this to bypass blacklisted resources. The same \
vulnerability affects multiple components.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Create a RSS feed
2. Specify a resource where the endpoint responds differently based on the request count
3. Return a valid result on the blacklist request but HTTP redirect when actually accessing the \
resource
Solution:
We improved the blacklisting check to make sure the actual resource is being checked when \
retrieving.
---
Internal reference: 68478 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2019-12-02
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-8542
CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Vulnerability Details:
Self-XSS was possible when pasting malicious HTML content to the mail signature editor. This \
could be used as part of a social engineering scheme.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Ask a user to edit a mail signature and use the "Code" feature
2. Make the user paste malicious HTML Code, for example SVG with embedded JS
3. Example: <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9I...
Solution:
We improved frontend sanitization of user-provided content.
---
Internal reference: 68681 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web / frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2020-01-09
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: chbi
CVE reference: CVE-2020-8542
CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Vulnerability Details:
Self-XSS was possible when pasting malicious HTML content to OX Documents, for example when \
composing a text document. This could be used as part of a social engineering scheme.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Ask a user to edit a document
2. Make the user paste malicious HTML/JS code
3. Example: tempor sit amet nulla non, <svg></p><style><a id="</style><img src=1 \
onerror=alert(ox.session)>"> sodales molestie velit
Solution:
We improved frontend sanitization of user-provided content.
---
Internal reference: OXUIB-39 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2020-01-27
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: zee_shan
CVE reference: CVE-2020-8542
CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Details:
Script code within a HTML E-Mail was executed under certain circumstances, like agreeing to \
load external images.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error \
will be returned compared to unavailable hosts. This can be used to discover an internal \
network topology and services.
Steps to reproduce:
1. Create a malicious mail with external images
2. Make the user load external content within the mail
3. Example: <a class=xss style='font:"xss{color:color><img src onerror=alert(doc...
Solution:
The sanitizer has been improved to consider "getUnmodified" function calls.
---
Internal reference: MWB-34 (Bug ID)
Vulnerability type: Improper Parameter Validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7
Vendor notification: 2020-01-27
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: Johannes Moritz
CVE reference: CVE-2020-8543
CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Details:
Resource exhaustion can be triggered by using pre-authenticated API requests with excessive \
parameter length.
Risk:
Degradation of availability and response times due to excessive resource usage while processing \
request parameters.
Steps to reproduce:
1. Use the /api/defer endpoint and use huge request parameters repeatedly.
Solution:
We now limit and filter request parameter size to avoid denial of service vectors.
---
Internal reference: DOCS-1658 (Bug ID)
Vulnerability type: Improper Restriction of XML External Entity (CWE-611)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev6, 7.10.2-rev5, 7.10.3-rev5
Vendor notification: 2020-01-22
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher credits: Hasan Ali
CVE reference: CVE-2020-8541
CVSS: 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Details:
XML Entity Expansion can be use to trigger HTTP requests to remote servers and include local \
files.
Risk:
Internal network topology and local files might get exposed, server-side requests can be \
triggered by unauthorized users.
Steps to reproduce:
1. Create and upload a malicious OpenXML document
2. Edit or open the document
Solution:
We now use the correct XML stream reader with additional hardening when unmarshalling this kind \
of files.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/DJIVnUkbbTwb+C5luURj3jLBMcFAl7jN8kACgkQluURj3jL
BMexrxAA2i7I2nT0vGgBXK4/REeI3ZVq7htR0AntAIh4fFiIchSlN31a4W7puoq1
wHFm3hFeva/zrwUtBAmLGO4M9XQbLRt6Z/vJxh9yx6OUafDm4AeDT1/8YDDqmy2n
yWmk1fEuM7bd0aruy2oF7ooQVPcOV1K6pQZg0ikSNDfTTzx6XxW96c9I2Ii4sCrx
pp6wq7E5qyxI1qWraE1MlGLgEtsdZWwKgbPhh6ivL9X1KLH4GYMYvsAQwpIyQEHm
CQybuqEwwXSvHuJt9V5i4Vk0C7zoq8pdS+OP9i4FV1criattwvNFv5w19YiGaTjc
1jq0CyC2VhU9BwpeUREpOI/HXC++5TnhTpFtzZtbqNVdJCghESMBMJq7JVDtKX06
KsWhSo8xBHqp1xHjdNFSsOSLurgcpLkxuDtdbh4mq8S/m2TwnFlMZzVU/Hjpn6rx
7YIdveqkH+OJ6EiCP5fzDui8a1AvLfpLvd2uchphhVa+KGHgREePJX0O/fbc3tSM
knoAN2lYA/bBdehBD1+AKh5swB1toSWX7dUCNBPrzG57mDyN5Po5KbG7Ud1WaZZl
e7a7c5SgXPz+3BaRHf5PHprvfOR7XzvKv6Ubwm/+Z3uOjlBWKWKmK2SYhSqR+po4
Nns6dPUTxQIze3GUU9yOXGuFLcGOzKJFlClRwSDQFNokaz3G0eo=
=BydS
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic