what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open-Xchange AppSuite 7.10.1 Information Disclosure / Improper Access Control

Open-Xchange AppSuite 7.10.1 Information Disclosure / Improper Access Control
Posted Apr 5, 2019
Authored by Martin Heiland

Open-Xchange AppSuite versions 7.10.1 and below suffer from information exposure and improper access control vulnerabilities.

tags | exploit, vulnerability, info disclosure
advisories | CVE-2019-7158, CVE-2019-7159
SHA-256 | a722921e6fddc3e83ee1b00bdf589f283a0af7624c6b56c8422fdc8435786cc9

Open-Xchange AppSuite 7.10.1 Information Disclosure / Improper Access Control

Change Mirror Download
Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 61771 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.10.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed Version: 7.6.3-rev44, 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7
Vendor notification: 2018-11-23
Solution date: 2019-02-13
Public disclosure: 2019-04-01
CVE reference: CVE-2019-7159
CVSS: 4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The "oxsysreport" tool failed to sanitized custom configuration parameters that could contain credentials like API keys.

Risk:
Unintended configuration information has been collected and potentially sent to OX for further analysis. This transmission would happen through secure channels and to authorized personell. We have no indication that data was used illegitimately.

Steps to reproduce:
1. Have configuration properties that don't match the expected format (e.g. commented out, custom key format)
2. Run oxsysreport and check what parameters have been sanitized

Solution:
We made sure to remove all incorrectly collected information and removed backups thereof. To solve the root cause, the oxsysreport tool has been updated to deal with other patterns of properties.


---


Internal reference: 61315 (Bug ID)
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 7.10.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed Version: 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7
Vendor notification: 2018-11-06
Solution date: 2019-02-13
Public disclosure: 2019-04-01
CVE reference: CVE-2019-7158
CVSS: 4.2 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
In case users did chose not to "stay signed in" or the operator disabled that functionality, cookies are maintained for a "session" lifetime to make sure they expire after the browser session has ended. Using "reload" on the existing browser session led to the impression that the session is already terminated as the login screen would be shown afterwards. However, those cookies are maintained by the browser for the remainder of the session until termination of the browser tab or window.

Risk:
Users could get the incorrect impression that their session has been terminated after reloading the browser window. In fact, the credentials for authentication (cookies) were maintained and other users with physical access to the browser could re-use them to execute API calls and access other users data.

Steps to reproduce:
1. Login with "Stay signed in" disabled
2. Reload the browser
3. Check which cookies are maintained while the "login" page is displayed

Solution:
We now drop the session associated with existent secret cookie on server-side in case a new login is performed and thus a new secret cookie is about to be written.

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close