Open-Xchange Security Advisory (multiple vulnerabilities)


Multiple security issues for Open-Xchange Server 6 and OX AppSuite have been discovered and fixed. The vendor has chosen a responsible full disclosure method to publish security issue details. Users of the software have already been provided with patched versions. German law prohibits to provide code that may be used by attackers, therefor no PoC or working code is available within this advisory.

Proof regarding the authenticity of these issues can be obtained from the published release notes:
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1381-2013-04-04.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1378-2013-04-04.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1379-2013-04-04.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1376_2013-04-04.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1377-2013-04-04.pdf

Product: Open-Xchange Server 6, OX AppSuite
Vendor: Open-Xchange GmbH

***********************

Internal reference: 25140
Vulnerability type: HTTP Header Injection
Vulnerable versions: 6.22.0-rev1 to 7.0.2-rev6
Vulnerable component: backend
Fixed version: 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution status: Fixed by Vendor
Vendor notification: 2013-03-04
Solution date: 2013-04-04
Public disclosure: 2013-04-17
CVE reference: CVE-2013-2582
CVSSv2: 6.2 (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The redirect servlet of the application uses the location variable, that specifies which URL a user gets redirected to. The application performs various replacements to protect a user against HTTP Header Injection. However, these replacements can be used by an attacker to create a situation where the replace-procedure creates a redirection string. When passing an encoded URL to the location parameter of the "redirect" servlet, null-characters (like “%0d”) are replace by a empty string (“”) and effectively creates the sequence (“//”) which is interpreted by the browser as “http://”

Risk:
Users may be tricked to visit a malicious website embedded to a trustworthy URL.


Solution:
The URL passed through the "location" parameter of the "redirect" servlet gets checked more carefully and always generates a relative URL.
Users should update to the latest patch releases 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25321
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The infostore module allows storing and sharing items that contain URLs. These URL can be used to execute JS code when clicking the "URL" since "javascript:" is allowed as protocol.

Risk:
Shared infostore items may contain malicious code that may be executed by other users. An attacker can access several authentication information.


Solution:
"javascript:" is not longer allowed as protocol prefix when creating infostore URL links.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25341
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
HTML files that got uploaded to the infostore may contain carefully crafted script code that exploits existing security checks to generate new malicious code.
Non-working example: <scr<script><!--</script><script>-src=<malicious code></script/>

Risk:
Malicious HTML files with embedded JS can be shared to other users to obtain authentication information or execute operations within the context of the victim.


Solution:
Repetitive application of sanitizing steps is performed to filter all malicious code and avoid code forging.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25342
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
HTML content can be stored as mail signature. That content may contain carefully crafted script code that exploits existing security checks to generate new malicious code.

Risk:
Malicious JS code can be embedded to a users signature to obtain authentication information or execute operations within the context of the victim.


Solution:
Repetitive application of sanitizing steps is performed to filter all malicious code and avoid code forging.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25343
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Using a forged image file of a specific size can be used to execute script code. To prevent malicious usage, a magic-byte and content check is performed for the first 2048 Bytes of an image. If the malicious code is appended to the image or beyond the first 2048 Bytes, it's executed when calling it via a crafted URL.

Risk:
Malicious JS code can be embedded to a contact image to obtain authentication information or execute operations within the context of the victim. Contacts with malicious image content can be shared to other users.


Solution:
The whole image file is checked more carefully for malicious code and valid image data before accepting the upload.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************