Product: OX App Suite
Vendor: Open-Xchange GmbH

Internal reference: 34765 (Bug ID)
Vulnerability type: SQL Injection (CWE-89)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Researcher credits: SoftScheck GmbH
Fixed version: 7.4.2-rev36, 7.6.0-rev23
Vendor notification: 2013-10-06
Solution date: 2014-10-08
Public disclosure: 2014-11-07
CVE reference: CVE-2014-7871
CVSSv2: 7.6 (AV:N/AC:M/Au:S/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
A SQL injection vulnerability has been identified at the "jslob" API call. Abusing the MySQL "ExtractValue" function allows execution of arbitrary SQL code by passing it through MySQLs XPath interpreter. 30 characters of the injected SQL queryies result are returned as an error message by the parser when failing to evaluate XPath. This issue affects MySQL 5.1 and later.

Risk:
Confidential data may get exposed to authenticated users (attackers). OX AppSuite user passwords are stored hashed and salted either using SHA1 or bcrypt, making it hard to gather plain-text passwords. However, other information like server configuration data, configuration files and database content could be extracted using this vulnerability. Even though the amount of returned data is limited to 30 characters for each request, this vulnerability can be used to subsequently gather more information by using scripts.

Steps to reproduce:
Forge a PUT request to the jslob api and escape the JSON structure, inject invalid XPath syntax and a piggy-back SQL query to the MySQL XPath interpreter. Bound to german law, we're not allowed to disclose exploit code that could be used to attack in-production systems.

Possible solutions:
Update to the latest available version of OX AppSuite/OX6 backend.
Configure a web application firewall to mitigate such requests.