exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Open-Xchange App Suite 7.8.1 Information Disclosure

Open-Xchange App Suite 7.8.1 Information Disclosure
Posted Jun 22, 2016
Authored by Martin Heiland

Open-Xchange App Suite versions 7.8.1 and below suffer from an information disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2016-4027
SHA-256 | 27b0e6e0ca5abeb66f30b28d40b4ac9eb51c5bb7ed4b48985aba9a1fe1586857

Open-Xchange App Suite 7.8.1 Information Disclosure

Change Mirror Download
Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 45328 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev43, 7.6.3-rev11, 7.8.0-rev23, 7.8.1-rev10
Vendor notification: 2016-04-14
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4027
CVSS: 2.4 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct.

Risk:
Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a users account.

Steps to reproduce:
1. Use token-login to forward a client with authentication credentials
2. Within the login string, set the "store" parameter to "false"
3. Observe the cookie settings for the client

Solution:
Users should always logout from their session when not using the application for a extended period of time. Operators and users can enable automatic log-out. Operators should deploy the latest Patch Release.



Affected product: OX Guard
Internal reference: 45292 (Bug ID)
Vulnerability type: Information Exposure (CWE-209)
Vulnerable version: 2.4.0
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed versions: 2.4.0-rev8
Vendor notification: 2016-04-13
Solution date: 2016-04-21
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4028
CVSS: 4.4 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
OX Guard uses an authentication token to identify and transfer guest users credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on wheather the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers for guess the correct padding.

Risk:
Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest users "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker.

Solution:
The API now delivers consistent responses regardless if the padding has been successfully guessed. This will mitigate the attack vector. Future releases may remove usage of AES-CBC to solve the root-cause completely. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45312 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-13
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Mohamed Khaled Fathy
CVE reference: CVE-2016-4026
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Attackers can use this issue for filter evasion to inject script code later on.

Solution:
Users should not open content from untrusted sources, to safeguard the client-side, HTTP headers like CSP can be set. Users should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45295 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.3 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-13
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4026
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
In case the legacy AJP connector is used (available till 7.6.3), a specific error case can be used to execute script conde in the users context. A file needs to be uploaded to Drive and its MIME-Type needs to be altered in a way that it passes the syntax check but triggers an error while processing the download. In case of this event, the related error page reflects the file name to the requesting client. If a attacker has also renamed the file name in a way that it contains script code, that code gets executed. When using the recent Grizzly connector, this vulnerability does not occur since the response is part of the header. Even though we changed the code to avoid returning user input with HTTP headers when using Grizzly.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.

Solution:
Users should not open links from untrusted sources, to safeguard the client-side, HTTP headers like CSP can be set. Users should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45401 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-19
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4045
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.

Solution:
Users should not subscribe to RSS feeds from untrusted sources and should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45363 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.0 and 7.8.1
Vulnerable component: documents frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-16
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Saeed Hashem
CVE reference: CVE-2016-4045
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/RC:C)

Vulnerability Details:
Users can add comments to documents in review mode. In case a user has set script code as first- or last-name, that code might get executed in the context of other users which work on "review" of the document at the same time.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.

Solution:
Users should not open text documents from untrusted sources and should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45364 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.8.0 and 7.8.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.0-rev30 (backend), 7.8.0-rev23 (frontend), 7.8.1-rev11
Vendor notification: 2016-04-16
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Saeed Hashem
CVE reference: CVE-2016-4048
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages.

Risk:
Users may get tricked to follow instructions injected by third parties as part of social engineering attacks.

Solution:
Users should not open links from untrusted sources or follow instructions regarding their credentials. We changed the behaviour in a way that the client is now required to provide a token in order to get a specific message shown at the login screen. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45386 (Bug ID)
Vulnerability type: XML External Entity References (CWE-611)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: documents backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev14, 7.6.3-rev3, 7.8.0-rev7, 7.8.1-rev8
Vendor notification: 2016-04-18
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Deepanker Chawla
CVE reference: CVE-2016-4047
CVSS: 4.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N)

Vulnerability Details:
References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result a attacker can track access to a manipulated document.

Risk:
Usage of a document may get tracked and information about internal infrastructure may get exposed.

Solution:
Users should not open documents from untrusted sources. Operators shall restrict access to external resources on a network level. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45366 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-17
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4046
CVSS: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)

Vulnerability Details:
The API to configure external mail accounts can be abused to map and acess network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existance of hosts and services can be gathered.

Risk:
Attackers can get internal configuration information about the infrastructure of a operator to prepare subsequent attacks.

Solution:
Operators shall restrict access to internal and external resources on a network level. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45402 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-19
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4046
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)

Vulnerability Details:
The API to configure RSS feeds can be abused to map and acess network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existance of hosts and services can be gathered.

Risk:
Attackers can get internal configuration information about the infrastructure of a operator to prepare subsequent attacks.

Solution:
Operators shall restrict access to internal and external resources on a network level. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45405 (Bug ID)
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-19
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
Configuring RSS feeds allows to provide an arbitrary URL to fetch feed data. Response checks make sure only valid XML gets processed but they do not apply limits to file size. As a result, processing of large XML resources can be triggered which leads to high resource usage and potentially reduces service availability.

Risk:
Attackers can reduce system availability and responsiveness.

Solution:
Operators should deploy the latest Patch Release.


Best regards,
Martin Heiland, Open-Xchange GmbH
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close