Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as attachment.

Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
    "datasource": {
        "identifier": "com.openexchange.url.mail.attachment",
        "url": "file:///var/file"
    }

Solution:
We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout.



---



Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology, services and files.

Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
<img src="http://localhost:22/badboy">
3. Monitor the response code

Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network layout.



---



Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, this allows to make the server-side request arbitrary image resources.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg
3. Monitor the response code

Solution:
We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you network layout.



---



Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked against a blacklist.

Risk:
Local resources like images or websites could be invoked by end-users and expose their content through the generated image.

Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local resource
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng

Solution:
We now reject redirects and check provided URLs against blacklists and protocol whitelists.



---



Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential vulnerabilities which are not directly related to readerengine.

Risk:
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an update based on precaution.

Steps to reproduce:
1. n/a

Solution:
n/a