exploit the possibilities

Open-Xchange OX App Suite Cross Site Scripting / SSRF

Open-Xchange OX App Suite Cross Site Scripting / SSRF
Posted Jan 21, 2019
Authored by Martin Heiland, Secator, Zhihua Yao, stemcloud, Gamal negm eldin

Open-Xchange OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities. The vulnerabilities spawn a multitude of versions.

tags | exploit, vulnerability, xss
advisories | CVE-2018-13103, CVE-2018-13104
MD5 | 0f83a06f2870765960fa46b3d0ee12cc

Open-Xchange OX App Suite Cross Site Scripting / SSRF

Change Mirror Download
Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 59653 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13
Vendor notification: 2018-07-31
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Gamal negm eldin
CVE reference: CVE-2018-13104
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Attachment file names in mail can be used to inject script code, in case the victim uses "mouse over" on the attachment.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a malicious multipart HTML E-Mail
2. Make the recipient to expand the "attachments" area and mouse-over the attachment

Proof of concept:
------=_Part_361_1510656222.1533025735063
Content-Type: image/svg+xml; name="<u onmouseover=alert(1)>w"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="<u onmouseover=alert(1)>w"


Solution:
We made sure to use the actual text node as label to avoid injecting DOM nodes.


---


Internal reference: 59507 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34
Vendor notification: 2018-07-25
Solution date: 2018-08-16
Public disclosure: 2019-01-18
Researcher Credits: Zhihua Yao (chihuahua)
CVE reference: CVE-2018-13104
CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
File names of attachments of PIM objects (appointments, contacts, tasks) can be used to inject script code. Sharing such objects with other users allows to attack them. This requires both a trust relationship between those users - or both have to be provisioned to the same context.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a PIM object, like an appointment
2. Upload a attachment with malicious file name
3. Make the victim open the object in detail view

Proof of concept:
"><img src=x onerror=alert(document.domain)>.jpg

Solution:
We transformed file names to text nodes before adding them to DOM.


---


Internal reference: 58742 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2018-05-24
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Specific URL parameters can be used to circumvent handling of potentially malicious files. Usually we force the user agent to download such files instead of eventually opening them.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a malicious HTML file and upload it to Drive
2. Modify the file type to "application/xml" or "application/xhtml+xml" to trigger UA content guessing
3. Create a link to download that file and use the content_disposition=inline parameter
4. Share the link with some other user of the system, or a guest and make them open it

Proof of concept:
https://example.com/appsuite/api/files/html-xml?action=document&folder=10&id=10%2F348&content_disposition=inline

Solution:
We now prefer server-side content-disposition defaults over client-side parameters when dealing with attachments.


---


Internal reference: 56457 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-11
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Data with references to external content, like images of a contact imported as vcard, can be used to force redirects to local, restricted or internal network addresses.

Risk:
This can be used to perform port scanning to prepare future attacks and gain information about the target system.

Steps to reproduce:
1. Create a malicious vcard file, including a remote location for the "PHOTO" attribute
2. Configure the provided host in a way that it responds with HTTP 30X redirects to internal hosts
3. Upload the vcard file to the App Suite system, monitor the runtime and response code

Proof of concept:
PHOTO;VALUE=URI;TYPE=GIF:http://testserver65.com:70/test.jpeg

Solution:
We no longer follow HTTP redirects pointing to local or network-internal locations.


---


Internal reference: 56558 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.3 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.3-rev50, 7.6.3-rev41
Vendor notification: 2017-12-19
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: stemcloud
CVE reference: CVE-2018-13103
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
IP black-lists can be circumvented by using non-decimal representation of IP addresses.

Risk:
This can be used to perform port scanning, host discovery and content retrieval to prepare future attacks and gain information about the target system.

Steps to reproduce:
1. Create content with external references, for example a RSS feed
2. Use octal or hexadecimal representation of IP addresses (8, 16, 24 or 32bit)

Proof of concept:
Octal:
http://017700000001/foo.xml

Hex:
http://0x7f000001/foo.xml

Decimal:
http://2130706433/foo.xml

Solution:
We now properly detect octal and hexadecimal IP address representations


---


Internal reference: 56406 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev40
Vendor notification: 2017-12-06
Solution date: 2018-08-21
Public disclosure: 2019-01-18
Researcher Credits: Secator
CVE reference: CVE-2018-13104
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Content of mails added to Portal are being executed as script code. This way malicious code within mails can get stored persistently.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a E-Mail with malicious script code
2. Make a user add this E-Mail to the Portal

Proof of concept:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<p style="" class="default-style"><img src="x" onerror="alert(document.cookie);"></p>
</body>
</html>

Solution:
We adjusted "unescaping" of mail content at the frontend side.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    30 Files
  • 11
    Dec 11th
    8 Files
  • 12
    Dec 12th
    20 Files
  • 13
    Dec 13th
    6 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close