exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OX App Suite / OX Documents 7.10.3 XSS / SSRF / Improper Validation

OX App Suite / OX Documents 7.10.3 XSS / SSRF / Improper Validation
Posted Jun 12, 2020
Authored by Martin Heiland, Johannes Moritz, zee_shan, chbi, Hasan Ali

OX App Suite and OX Documents versions 7.10.3 and below suffer from server-side request forgery, cross site scripting, improper parameter validation, and XML injection vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2019-18846, CVE-2020-8541, CVE-2020-8542, CVE-2020-8543, CVE-2020-8544
SHA-256 | 64ac41f600218c8a53f85f7edaf868fd9208d415671cac26f51f2f16940095bb

OX App Suite / OX Documents 7.10.3 XSS / SSRF / Improper Validation

Change Mirror Download
Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Documents
Vendor: OX Software GmbH



Internal reference: 68441, 68453, 68454 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend, office documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7
Vendor notification: 2019-11-29
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2019-18846, CVE-2020-8544
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Our blacklisting restrictions for various APIs have flaws that allow attackers to bypass certain checks by using "smart" endpoints. In detail, the check if a URL is blacklisted was triggered independently from accessing the actual resource. Malicious endpoints with knowledge about application state could abuse this to bypass blacklisted resources. The same vulnerability affects multiple components.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a RSS feed
2. Specify a resource where the endpoint responds differently based on the request count
3. Return a valid result on the blacklist request but HTTP redirect when actually accessing the resource

Solution:
We improved the blacklisting check to make sure the actual resource is being checked when retrieving.



---



Internal reference: 68478 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2019-12-02
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-8542
CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Vulnerability Details:
Self-XSS was possible when pasting malicious HTML content to the mail signature editor. This could be used as part of a social engineering scheme.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Ask a user to edit a mail signature and use the "Code" feature
2. Make the user paste malicious HTML Code, for example SVG with embedded JS
3. Example: <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9I...

Solution:
We improved frontend sanitization of user-provided content.



---



Internal reference: 68681 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web / frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2020-01-09
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: chbi
CVE reference: CVE-2020-8542
CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Vulnerability Details:
Self-XSS was possible when pasting malicious HTML content to OX Documents, for example when composing a text document. This could be used as part of a social engineering scheme.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Ask a user to edit a document
2. Make the user paste malicious HTML/JS code
3. Example: tempor sit amet nulla non, <svg></p><style><a id="</style><img src=1 onerror=alert(ox.session)>"> sodales molestie velit

Solution:
We improved frontend sanitization of user-provided content.



---



Internal reference: OXUIB-39 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2020-01-27
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: zee_shan
CVE reference: CVE-2020-8542
CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Details:
Script code within a HTML E-Mail was executed under certain circumstances, like agreeing to load external images.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a malicious mail with external images
2. Make the user load external content within the mail
3. Example: <a class=xss style='font:"xss{color:color><img src onerror=alert(doc...

Solution:
The sanitizer has been improved to consider "getUnmodified" function calls.



---



Internal reference: MWB-34 (Bug ID)
Vulnerability type: Improper Parameter Validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7
Vendor notification: 2020-01-27
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: Johannes Moritz
CVE reference: CVE-2020-8543
CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Vulnerability Details:
Resource exhaustion can be triggered by using pre-authenticated API requests with excessive parameter length.

Risk:
Degradation of availability and response times due to excessive resource usage while processing request parameters.

Steps to reproduce:
1. Use the /api/defer endpoint and use huge request parameters repeatedly.

Solution:
We now limit and filter request parameter size to avoid denial of service vectors.



---



Internal reference: DOCS-1658 (Bug ID)
Vulnerability type: Improper Restriction of XML External Entity (CWE-611)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev6, 7.10.2-rev5, 7.10.3-rev5
Vendor notification: 2020-01-22
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher credits: Hasan Ali
CVE reference: CVE-2020-8541
CVSS: 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Details:
XML Entity Expansion can be use to trigger HTTP requests to remote servers and include local files.

Risk:
Internal network topology and local files might get exposed, server-side requests can be triggered by unauthorized users.

Steps to reproduce:
1. Create and upload a malicious OpenXML document
2. Edit or open the document

Solution:
We now use the correct XML stream reader with additional hardening when unmarshalling this kind of files.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close