exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Open-Xchange OX Guard Cross Site Scripting / Signature Validation

Open-Xchange OX Guard Cross Site Scripting / Signature Validation
Posted Aug 16, 2019
Authored by Hanno Boeck, Juraj Somorovsky, Martin Heiland, Jorg Schwenk, Sebastian Schinzel, Damian Poddebniak, Jens Muller, Marcus Brinkmann

Open-Xchange OX Guard versions 7.10.2 and below suffer from a cross site scripting vulnerability. Open-Xchange OX Guard versions 7.10.1 and below, 2.10.2 and below suffer from a signature validation vulnerability.

tags | exploit, xss
advisories | CVE-2018-9997, CVE-2019-11521
SHA-256 | ea4821effec5ebd51f45bdf732d362fc22eb10a99a7363c2441cceeedc97dfae

Open-Xchange OX Guard Cross Site Scripting / Signature Validation

Change Mirror Download
Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX Guard
Vendor: OX Software GmbH

Internal reference: 65132 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev48, 7.8.4-rev59, 7.10.0-rev32, 7.10.1-rev14, 7.10.2-rev5
Vendor notification: 2019-05-09
Solution date: 2019-06-13
Public disclosure: 2019-08-15
CVE reference: CVE-2018-9997
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Curly brackets can be used to bypass XSS sanitization in HTML mail and other HTML attachments. A variation of the original issue has been found thats based on incorrect global eventhandler blacklist entries.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a HTML mail with curly brackets that disguise event handlers in CSS
2. Make a App Suite user open the malicious mail

Proof of concept:
<div style=width:100%;height:10px;font:\"'/{/onMouseLeave=alert(1)//></div>

Solution:
We updated the list of blacklisted event handlers to close this bypass, operators may add a workaround by updating "globaleventhandlers.list" and change the incorrect handler "onmounseleave" to "onmouseleave".


--


Internal reference: 64992 (Bug ID)
Vulnerability type: Data validation fault (CWE-34)
Vulnerable version: 7.10.1 and earlier, 2.10.2 and earlier
Vulnerable component: guard, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (guard): 2.8.0-rev22, 2.10.1-rev7
Fixed version (backend): 7.8.4-rev59, 7.10.1-rev14
Vendor notification: 2019-05-03
Solution date: 2019-06-13
Public disclosure: 2019-08-15
Researcher Credits: Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, and Jörg Schwenk
CVE reference: CVE-2019-11521
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Vulnerability Details:
Internal evaluation revealed that OX Guard is vulnerable to a subset of techniques used to display a valid signature from the identity of a trusted communication partner located in the mail header, although the crafted email is actually signed by an attacker. Our discoveries are based on work of a team of researchers, publishing these spoofing techniques under the "Johnny You Are Fired" project name.

Risk:
Recipients of signed PGP mail could be fooled to assume the mail originates from a trusted source rather than an attacker. This would elevate the mails trust level and potentially ease social-engineering attacks.

Steps to reproduce:
1. Create mails that contain valid signatures but originate from a different source

Proof of concept:
https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id

Solution:
We improved validation and make sure mail with valid signatures is only evaluated to be "trusted" if the sender matches the signature issuer. We also extended our API to provide more information about a specific signature to let clients add checks and handle invalid signature information.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close