exploit the possibilities

Open-Xchange App Suite 7.8.2 Cross Site Scripting

Open-Xchange App Suite 7.8.2 Cross Site Scripting
Posted Sep 13, 2016
Authored by Martin Heiland

Open-Xchange App Suite versions 7.8.2 and below suffer from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2016-5740
MD5 | 7a2af6d51c5db2a16311fd0e0642821d

Open-Xchange App Suite 7.8.2 Cross Site Scripting

Change Mirror Download
Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 46484 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, 7.8.2-rev5
Vendor notification: 2016-06-09
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Description fields of ressources could be used to inject malicious HTML/JS code. When scheduling group appointments and adding such a ressource, the injected code gets executed in the context of a user when viewing appointment details.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Note however that explicit permissions are required to create or modify resources in a way that they could contain script code.

Steps to reproduce:
1. Provide HTML including script code as resource description
2. Add this resource to a group appointment
3. As group members, examine the appointment details.

Solution:
Permission settings can be temporarily tightened to reject resource modifications by users. Such descriptions are now handled as plain-text to avoid any kind of script execution. Operators should update to the latest Patch Release.


Internal reference: 46894 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Researcher credits: Jakub A>>oczek
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code can be injected to HTML E-Mail hyperlinks by using the "data" schema. This method bypasses existing sanitization methods. As a result the script code got injected to hyperlinks displayed at OX App Suite UI.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Compose malicious mail with a link containing a "data" schema with JS code included
2. Make a user click the link

Proof of concept:
<a href="data:text/html,<script>alert(document.cookie);</script>">click me</a>

Solution:
Users should not or interact with mails from untrusted external sources. Targets of hyperlinks shall be examined before clicking the respective link. Operators should update to the latest Patch Release.


Internal reference: 47062 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code can be stored to the temporary storage for inline-images in HTML E-Mails. Content is available to the user who stored it but also to other (external) users if the unique random ID is known. Note that this storage is volatile and expires if not regulary refreshed. A attacker could however re-upload and refresh the file once uploaded.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a file with script code that gets rendered within the browser, e.g. a SVG image with XSL headers
2. Alter the upload request for file?action=new from "image" to "file" to circumvent image related checks
3. Set a MIME-type that makes the browser render the file content inline instead of downloading
4. Fetch the returned UUID
5. Create a link which includes the storage location for the specific item
6. Make a user click that link

Solution:
Users should not open hyperlinks from untrusted sources. Operators should update to the latest Patch Release.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close