[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] OXAS-ADV-2023-0003: OX App Suite Security Advisory
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-08-02 12:21:29
Message-ID: 928301353.2587.1690978889760 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
We're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at YesWeHack.
This advisory has also been published at \
https://documentation.open-xchange.com/security/advisories/.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: OXUIB-2282
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev27
First fixed revision: OX App Suite frontend 7.10.6-rev28
Discovery date: 2023-03-20
Solution date: 2023-04-20
Disclosure date: 2023-08-02
CVE: CVE-2023-26445
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L)
Details:
Themes can be abused to inject script code for persistent XSS. Frontend themes are defined by \
user-controllable jslob settings and could point to a malicious resource which gets processed \
during login.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We now sanitize the theme value and use a default fallback if no theme matches.
---
Internal reference: OXUIB-2283
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev27, OX App Suite frontend 8.11
First fixed revision: OX App Suite frontend 7.10.6-rev28, OX App Suite frontend 8.12
Discovery date: 2023-03-20
Solution date: 2023-04-20
Disclosure date: 2023-08-02
CVE: CVE-2023-26446
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using application passwords "lastDevice" property. The users clientID at "application \
passwords" was not sanitized or escaped before being added to DOM.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We now sanitize the user-controllable clientID parameter.
---
Internal reference: OXUIB-2284
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev27
First fixed revision: OX App Suite frontend 7.10.6-rev28
Discovery date: 2023-03-20
Solution date: 2023-04-20
Disclosure date: 2023-08-02
CVE: CVE-2023-26447
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS in upsell portal widget. The "upsell" widget for the portal allows to specify a product \
description. This description taken from a user-controllable jslob did not get escaped before \
being added to DOM.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We now sanitize jslob content.
---
Internal reference: OXUIB-2285
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev27
First fixed revision: OX App Suite frontend 7.10.6-rev28
Discovery date: 2023-03-20
Solution date: 2023-04-27
Disclosure date: 2023-08-02
CVE: CVE-2023-26448
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS via user-defined login/logout URL. Custom log-in and log-out locations are used-defined as \
jslob but were not checked to contain malicious protocol handlers.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We now sanitize jslob content for those locations to avoid redirects to malicious content.
---
Internal reference: OXUIB-2286
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev27
First fixed revision: OX App Suite frontend 7.10.6-rev28
Discovery date: 2023-03-20
Solution date: 2023-04-19
Disclosure date: 2023-08-02
CVE: CVE-2023-26449
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS by returning user-defined content-type as Chat service resource. The "OX Chat" web service \
did not specify a media-type when processing responses by external resources.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We are now defining the accepted media-type to avoid code execution.
---
Internal reference: OXUIB-2287
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev27
First fixed revision: OX App Suite frontend 7.10.6-rev28
Discovery date: 2023-03-20
Solution date: 2023-04-19
Disclosure date: 2023-08-02
CVE: CVE-2023-26450
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using malicious Count service resource. The "OX Count" web service did not specify a \
media-type when processing responses by external resources.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We are now defining the accepted media-type to avoid code execution.
---
Internal reference: MWB-1877
Type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev42, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev43, OX App Suite backend 8.11
Discovery date: 2022-10-17
Solution date: 2023-04-27
Disclosure date: 2023-08-02
CVE: CVE-2023-26438
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Details:
SSRF using DNS rebinding attacks. External service lookups for a number of protocols were \
vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. \
Attackers that were timing DNS cache expiry correctly were able to inject configuration that \
would bypass existing network deny-lists.
Risk:
Attackers could exploit this weakness to discover the existence of restricted network \
infrastructure and service availability. No publicly available exploits are known.
Solution:
Improvements were made to include deny-lists not only during the check of the provided \
connection data, but also during use.
---
Internal reference: MWB-2020
Type: CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command \
Injection'))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev42, OX App Suite backend 8.10
First fixed revision: OX App Suite backend 7.10.6-rev43, OX App Suite backend 8.11
Discovery date: 2023-01-23
Solution date: 2023-04-26
Disclosure date: 2023-08-02
Researcher credits: Tim 'foobar7' Coen
CVE: CVE-2023-26430
CVSS: 3.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)
Details:
Mailfilter (SIEVE) rules accept control characters. Attackers with access to user accounts can \
inject arbitrary control characters to SIEVE mail-filter rules.
Risk:
This could be abused to access SIEVE extension that are not allowed by App Suite or to inject \
rules which would break per-user filter processing, requiring manual cleanup of such rules. No \
publicly available exploits are known.
Solution:
We have added sanitization to all mail-filter APIs to avoid forwardning control characters to \
subsystems.
---
Internal reference: MWB-2086
Type: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL \
Injection'))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev42, OX App Suite backend 8.11
First fixed revision: OX App Suite backend 7.10.6-rev43, OX App Suite backend 8.12
Discovery date: 2023-03-14
Solution date: 2023-04-27
Disclosure date: 2023-08-02
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26443
CVSS: 5.5 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L)
Details:
Potentially malicious SQL injection when using full-text autocomplete. Full-text autocomplete \
search allows user-provided SQL syntax to be injected to SQL statements.
Risk:
With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but \
could potentially be escalated to a malicious SQL injection vulnerability. No publicly \
available exploits are known.
Solution:
We now properly encode single quotes for SQL FULLTEXT queries.
---
Internal reference: MWB-2102
Type: CWE-330 (Use of Insufficiently Random Values)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 8.11
First fixed revision: OX App Suite backend 8.12
Discovery date: 2023-03-27
Solution date: 2023-04-28
Disclosure date: 2023-08-02
Researcher credits: Eldar 'HakuPiku' Zeynalli
CVE: CVE-2023-26451
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Details:
oAuth provider uses predictable secret source, allows to take over any oAuth session. Functions \
with insufficient randomness were used to generate authorization tokens of the integrated oAuth \
Authorization Service.
Risk:
Authorization codes were predictable for third parties and could be used to intercept and take \
over the client authorization process. As a result, other users accounts could be compromised. \
The oAuth Authorization Service is not enabled by default. No publicly available exploits are \
known.
Solution:
We have updated the implementation to use sources with sufficient randomness to generate \
authorization tokens.
---
Internal reference: DOCS-4726
Type: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL \
Injection'))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 8.10
First fixed revision: OX App Suite office 8.11
Discovery date: 2023-02-13
Solution date: 2023-03-14
Disclosure date: 2023-08-02
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26439
CVSS: 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Details:
SQL Injection at Cacheservice "getObjects" API. The cacheservice API could be abused to inject \
parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL \
statement.
Risk:
Attackers with access to a local or restricted network were able to perform arbitrary SQL \
queries, discovering other users cached data. No publicly available exploits are known.
Solution:
We have improved the input check for API calls and filter for potentially malicious content.
---
Internal reference: DOCS-4727
Type: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL \
Injection'))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 8.10
First fixed revision: OX App Suite office 8.11
Discovery date: 2023-02-13
Disclosure date: 2023-08-02
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26440
CVSS: 8.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Details:
SQL Injection at Cacheservice "registerGroup" API. The cacheservice API could be abused to \
indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later \
be executed when creating new cache groups.
Risk:
Attackers with access to a local or restricted network could perform arbitrary SQL queries. No \
publicly available exploits are known.
Solution:
We have improved the input check for API calls and filter for potentially malicious content.
---
Internal reference: DOCS-4728
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 8.10
First fixed revision: OX App Suite office 8.11
Discovery date: 2023-02-14
Solution date: 2023-04-28
Disclosure date: 2023-08-02
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26441
CVSS: 6.9 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L)
Details:
Cacheservices allows local file inclusion/removal through directory traversal. Cacheservice did \
not correctly check if relative cache object were pointing to the defined absolute location \
when accessing resources.
Risk:
An attacker with access to the database and a local or restricted network would be able to read \
arbitrary local file system resources that are accessible by the services system user account. \
No publicly available exploits are known.
Solution:
We have improved path validation and make sure that any access is contained to the defined root \
directory.
---
Internal reference: DOCS-4734
Type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 8.10
First fixed revision: OX App Suite office 8.11
Discovery date: 2023-02-15
Disclosure date: 2023-08-02
Researcher credits: Mehmet 'mdisec' Ince
CVE: CVE-2023-26442
CVSS: 3.2 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N)
Details:
Cacheservice HTTP client follow redirect responses, allowing SSRF. In case Cacheservice was \
configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by \
that backend.
Risk:
An attacker with access to a local or restricted network with the capability to intercept and \
replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a \
server-side request-forgery attack and make Cacheservice connect to unexpected resources. No \
publicly available exploits are known.
Solution:
We have disabled the ability to follow HTTP redirects when connecting to sproxyd resources.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic