exploit the possibilities

OX App Suite 7.6.0 SQL Injection

OX App Suite 7.6.0 SQL Injection
Posted Nov 7, 2014
Authored by Martin Heiland

OX App Suite versions 7.6.0 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2014-7871
MD5 | 688e3e9eb49ee93380a01d210c91dbc5

OX App Suite 7.6.0 SQL Injection

Change Mirror Download
Product: OX App Suite
Vendor: Open-Xchange GmbH

Internal reference: 34765 (Bug ID)
Vulnerability type: SQL Injection (CWE-89)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Researcher credits: SoftScheck GmbH
Fixed version: 7.4.2-rev36, 7.6.0-rev23
Vendor notification: 2013-10-06
Solution date: 2014-10-08
Public disclosure: 2014-11-07
CVE reference: CVE-2014-7871
CVSSv2: 7.6 (AV:N/AC:M/Au:S/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
A SQL injection vulnerability has been identified at the "jslob" API call. Abusing the MySQL "ExtractValue" function allows execution of arbitrary SQL code by passing it through MySQLs XPath interpreter. 30 characters of the injected SQL queryies result are returned as an error message by the parser when failing to evaluate XPath. This issue affects MySQL 5.1 and later.

Risk:
Confidential data may get exposed to authenticated users (attackers). OX AppSuite user passwords are stored hashed and salted either using SHA1 or bcrypt, making it hard to gather plain-text passwords. However, other information like server configuration data, configuration files and database content could be extracted using this vulnerability. Even though the amount of returned data is limited to 30 characters for each request, this vulnerability can be used to subsequently gather more information by using scripts.

Steps to reproduce:
Forge a PUT request to the jslob api and escape the JSON structure, inject invalid XPath syntax and a piggy-back SQL query to the MySQL XPath interpreter. Bound to german law, we're not allowed to disclose exploit code that could be used to attack in-production systems.

Possible solutions:
Update to the latest available version of OX AppSuite/OX6 backend.
Configure a web application firewall to mitigate such requests.
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    7 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close