what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open-Xchange AppSuite 7.2.2 Race Condition

Open-Xchange AppSuite 7.2.2 Race Condition
Posted Aug 16, 2013
Authored by Martin Braun

Open-Xchange AppSuite version 7.2.2 suffers from a race condition vulnerability.

tags | advisory
advisories | CVE-2013-5035
SHA-256 | 29dc634c735488b15be5d3c5505557afe8bba7b4881bed94b6d11caad980cbda

Open-Xchange AppSuite 7.2.2 Race Condition

Change Mirror Download
Product: Open-Xchange AppSuite / HTMLCleaner
Vendor: Open-Xchange GmbH / HTMLCleaner team

Internal reference: 27708 (Open-Xchange Bug ID), 86 (HTMLcleaner ticket)
Vulnerability type: Race condition within a thread (CWE-366)
Vulnerable version: 7.2.2
Vulnerable component: backend
Fixed version: 7.2.2-rev13
Solution status: Fixed by Vendor (Open-Xchange), Fixed by third party (HTMLCleaner)
Vendor notification: 2013-07-22
Solution date: 2013-08-06
Public disclosure: 2013-08-16
CVE reference: CVE-2013-5035
CVSSv2: 7.6 (AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:U/RC:C/CDP:H/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
If multiple requests to save E-Mail as “draft”, or send E-Mail, occur within a very narrow window of time, it is possible that E-Mail content get swapped between requests. The root cause for this is a HTML sanitising library that turned out not to be thread-safe despite it claims to be. Further research showed, that the issue has been introduced with OX 7.2.2 by updating to the latest version of this library (2.2 to 2.5). OX Versions 7.2.1 and earlier are not vulnerable.

Risk:
Not properly handling concurrent access within the sanitising library leads to a potential privacy issue. Content can become modified unintentionally or available to unprivileged users and recipients, when mixing with other users content while processing mail. An attacker could potentially trigger a lot of these requests to provoke content switches in order to randomly access mail content and personal data. Apart from using the library for this specific use-case, results for general HTML sanitising under high load may not be accurate and could contain corrupted content.

Steps to reproduce:
1. Have a multiple clients constantly saving draft mail or sending mail (quicker than 100ms per mail)

Proof of concept:
The issue has been reproduced using Unit tests, load tests and has been confirmed by the HTMLcleaner development team. At typical load, we experienced a probability of less than 0.5% that mail content of the same client either gets duplicated or mixed with mail content of another client. Higher system load and concurrent usage (per OX node) leads to a higher probability that this issue can arise.
We have reported this issue back to the maintainers of the library, adding a test case and proof-of-concept code. The issue has been fixed with HTMLCleaner 2.6, see http://sourceforge.net/p/htmlcleaner/bugs/86/ for more details.

Solution:
The solution is to create one instance of the sanitizer per request rather than passing multiple requests to the same instance. This avoids potential multithreading issues using this library, however it does not solve the root cause and other consumers of this library should either downgrade, upgrade or implement a similar workaround.
Users should update to the latest available patch releases 7.2.2-rev13

Martin Braun
Open-Xchange GmbH
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close