[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2022-03-21
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2022-03-21 15:10:34
Message-ID: 452340435.1584.1647875434373 () appsuite-dev-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: OXUIB-1092
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev26
Vendor notification: 2021-11-15
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44208
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vulnerability Details:
System messages at the OX Chat component are escaped to avoid injection of malicious code. \
However, this check is not performed for messages that are "unknown" to the system. Such \
messages do not occur during normal operations.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require the victim to follow a hyperlink \
or compromise of chat components.
Steps to reproduce:
1. Maliciously modify the chat infrastructure to inject "unknown" messages that contain script \
code 2. Make the victim connect to that infrastructure and request messages for their account
Solution:
We now sanitize "unknown" system messages, in case this scenario may ever happen in the wild.
---
Internal reference: MWB-1322
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-11-12
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44209
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Specific HTML5 tags and some attributes were not sufficiently considered when detecting \
malicious code thats being served as download.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Steps to reproduce:
1. Upload a HTML5 document with specific tags, set a HTML file extension but a misleading \
media-type 2. Share the file and make a victim click a hyperlink to that resource
Proof of concept:
<audio src="/appsuite/apps/themes/default/sounds/bell.ogg" onprogress="alert('XSS');" \
onsuspend="alert('XSS');" controls></audio>
Solution:
We improved HTML detection and examine a complete list of tags, attributes and event handlers.
---
Internal reference: MWB-1260
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-09-27
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44210
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Certain media formats (NIFF) in this case, were not detected to contain potentially harmful \
content. This can be exploited by an attacker by uploading malicious content in disguise. Some \
browsers will attempt to render NIFF sources as inline content.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Steps to reproduce:
1. Generate malicious JS/HTML content and upload it as NIFF image, change the media-type \
accordingly 2. Share that malicious code using "sharing"
3. Make a victim follow a link to the malicious share
Solution:
We now detect NIFF as potentially malicious content and force browsers to download it.
---
Internal reference: MWB-1259
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-09-27
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44211
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be tricked to generate \
malicious output by injecting seemingly benign garbled HTML code.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require some level of access to the \
victims account, context and pull off a social engineering attack.
Steps to reproduce:
1. Create a malicious E-Mail signature
2. Share and make a victim select that E-Mail signature
Proof of concept:
<img src class="src=cid:asd onerror=alert('XSS')//">
Solution:
We now check the HTML "class" attribute for potential malicious content for HTML E-Mail \
signatures.
---
Internal reference: MWB-1219
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-08-17
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44212
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Script tags at HTML content can be obfuscated by using trailing control commands to bypass \
existing sanitizers.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Steps to reproduce:
1. Create malicious script code and obfuscate HTML tags using control characters
2. Share the malicious code and make a victim click a link that points to this code
Proof of concept:
<script\t>alert("XSS");</script\t>
Solution:
We now improve detection of obfuscated HTML tags.
---
Internal reference: MWB-1216
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev32
Vendor notification: 2021-08-13
Solution date: 2021-12-14
Public disclosure: 2022-03-21
CVE reference: CVE-2021-44213
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vulnerability Details:
Binary uu-encoded content at multipart/alternative E-Mails is processed as mail body without \
sanitization in certain cases.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this the victim needs to interact with the message.
Steps to reproduce:
1. Generate a malicious mail with binary unix-to-unix content and a specific header structure, \
add placeholder content to trigger the "Show entire message" feature 2. Send that E-Mail to the \
victim 3. As the victim, select the message and follow the "Show entire content" link
Proof of concept:
?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes <script>alert("XSS");</script>
Solution:
We now advertise uu-encoded E-Mail parts as file attachment rather than the mail body.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic