[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2022-11-24
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2022-11-24 10:31:13
Message-ID: 718408492.7518.1669285873717 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at HackerOne and soon at YesWeHack.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: OXUIB-1654
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16
Vendor notification: 2022-05-23
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-31469
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject \
references to arbitrary fake applications. This can be used to request unexpected content, \
potentially including script code, when those links are used.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
PoC:
<a class="deep-link-app" \
href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123">
Solution:
We improved deep-link validation to avoid malicious use.
---
Internal reference: OXUIB-1678
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-05-30
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37307
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Certain content like E-Mail signatures are stored using the "snippets" mechanism. This \
mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML \
CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can \
be used for persistent access to the users account.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require access to the same OX App Suite \
instance or temporary access to the users account.
PoC:
<![CDATA[
<bo<script></script>dy>AA<img src onerror="alert('XSS')">BB</body>
]]>
Solution:
We improved the sanitizing algorithm to deal with disguised code.
---
Internal reference: OXUIB-1731
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37308
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would need to make the victim print a malicious \
E-Mail.
PoC:
...
Content-Type: text/plain
<img src onerror="alert('XSS')">
Solution:
We removed plain-text specific code and use existing sanitization mechanisms for HTML content.
---
Internal reference: OXUIB-1732
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37309
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Contacts that do not contain a name but only a e-mail address can be used to inject script code \
to the "contact picker" component, commonly used to select contacts as recipients or \
participants.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require access to the same OX App Suite \
instance or make the victim import malicious contact data.
Solution:
We now apply proper HTML escaping to all relevant data sets.
---
Affected product: OX App Suite
Internal reference: OXUIB-1785
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-07-20
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37310
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
The metrics and help modules use parts of the URL to determine capabilities. This mechanism \
suffers from a weakness that allows attackers to use special characters that register malicious \
capabilities, which will be executed as script code after login.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require the victim to follow a hyperlink \
to its App Suite instance and login. While the "metrics" module is optional, the "help" module \
is available on all instances.
PoC:
https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t% \
3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(""%2b{})[$$f]%2 \
b(""%2b{})[$f]%2b(""%2b[][f])[$f]%2b"f"[f$]%2b"t"[$$]%2b"t"[$f]%2b"t"[$t]%2b(""%2b{})[$$f]%2b"t" \
[$$]%2b(""%2b{})[$f]%2b"t"[$f];$$$%3d[][$t$][$t$];$$$("$$$('"%2b'\\'%2b$f%2bt$%2b$f%2b'\\'%2b$f% \
2b$$f%2bt$%2b'\\'%2b$f%2bt$%2b$$f%2b'\\'%2b$f%2b$$t%2b$t%2b'\\'%2b$f%2b$$t%2bt$%2b'('%2b'"'%2b'\ \
\'%2b$f%2bf$%2b$$%2b'\\'%2b$f%2b$t%2bf$%2b'\\'%2b$f%2b$t%2bf$%2b'"'%2b')'%2b"')();")()})()
Solution:
We sanitized any non-parsable characters from the capabilities input.
---
Internal reference: MWB-1712
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37313
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Deny-lists regarding external connections can be bypassed by using malicious DNS records with \
more than one A or AAAA response.
Risk:
Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be \
directed to internal resources that are restricted based on deny-list settings. This can be \
used to determine "internal" addresses and services, depending on measurement and content of \
error responses. While no data of such services can be exfiltrated, the risk is a violation of \
perimeter based security policies.
PoC:
Use API calls to setup an external mail account and provide a attacker controlled domain that \
returns more than one record. Only the first record will be checked against the deny-list, but \
the second record may also be used afterwards.
Solution:
We improved the analysis of DNS responses and check all available records against deny-list \
entries.
---
Internal reference: MWB-1713
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37312
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
The size of the request body for certain API endpoints were not sufficiently checked for \
plausible sizes.
Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource \
exhaustion. Since such requests are highly asymmetric in terms of resource requirements between \
the client and the server, they can be scaled to such a degree that the system becomes \
temporarily unresponsive for all users. Those requests do not require authentication.
PoC:
Sending a large request body containing a "redirect" URL to the "deferrer" servlet.
Solution:
We now enforce checks that make sure only requests with plausible size are being processed to \
avoid uncontrolled resource usage.
---
Internal reference: MWB-1714
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37311
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
The size of the request parameters for certain API endpoints were not sufficiently checked for \
plausible sizes.
Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource \
exhaustion. Since such requests are highly asymmetric in terms of resource requirements between \
the client and the server, they can be scaled to such a degree that the system becomes \
temporarily unresponsive for all users. Those requests do not require authentication.
PoC:
Sending a large "location" request parameter to the "redirect" servlet.
Solution:
We now enforce checks that make sure only requests with plausible size are being processed to \
avoid uncontrolled resource usage.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic