exploit the possibilities

Open-Xchange OX App Suite Content Spoofing / Cross Site Scripting

Open-Xchange OX App Suite Content Spoofing / Cross Site Scripting
Posted Aug 16, 2019
Authored by Martin Heiland, zee_shan

Open-Xchange OX App Suite suffers from a content spoofing, cross site scripting, and information disclosure vulnerabilities. Versions affected vary depending on the vulnerability.

tags | exploit, spoof, vulnerability, xss, info disclosure
advisories | CVE-2019-11521, CVE-2019-11522, CVE-2019-11806
MD5 | e4f984f70b4911993c1fb35b6018270a

Open-Xchange OX App Suite Content Spoofing / Cross Site Scripting

Change Mirror Download
Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 64680 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-09
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11521
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Vulnerability Details:
Appointment titles are rendered as hyperlink but were missing a protection against "tab nabbing".

Risk:
When following a hyperlink to a malicious website, the original tab location (OX App Suite) could be replaced with a URL chosen by the attacker. This can be exploited to trick users to re-enter credentials to a seemingly legitimate website and as a result take over accounts.

Steps to reproduce:
1. Create a appointment invitation that contains a link to a malicious website including a blank "target" attribute
2. Make the user accept the invitation and click the hyperlink at the appointments title
3. Provide a effective exploit to overwrite the users original URL and fake a login page

Proof of concept:
Appointment title content:
<a href="//www.evil.com/window.html" target="_blank">Click Me! :-)

Payload:
<script>
window.opener.location.replace('//www.evil-fakelogin.com/');
</script>


Solution:
We extended the usage of existing protection mechanisms (blankshield) to this case.


---


Internal reference: 64682 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.0 and 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
When replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly "fix" HTML content as demonstrated by @kinugawamasato for Google Search.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create an E-Mail with malicious content and deliver it to the user
2. Make the user "reply" to the E-Mail

Proof of concept:
Test
<noscript><p class="xss">Another XSS!
<!-- --!
> <img src=x onerror=alert(document.domain)>


Solution:
We improved our filter and whitelisting mechanisms to block this kind of code from entering the browsers rendering engine.


---


Internal reference: 64703 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev12
Vendor notification: 2019-04-15
Solution date: 2019-05-13
Public disclosure: 2019-08-15
Researcher Credits: zee_shan
CVE reference: CVE-2019-11522
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
When opening a embedded HTML E-Mail, sanitization mechanisms were not active.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create an E-Mail with malicious content and embed/attach it to another E-Mail
2. Make the user open to embedded E-Mail using OX App Suites "View" feature

Proof of concept:
<img src=x onerror=alert(document.domain)>


Solution:
We now use existing filtering mechanisms when processing embedded or attached E-Mail.


---


Affected product: OX App Suite
Internal reference: 62465 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.6.3 and later
Vulnerable component: driverestricted, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (driverestricted): 7.6.3-rev4, 7.8.3-rev8, 7.8.4-rev6, 7.10.0-rev5, 7.10.1-rev4
Fixed version (backend): 7.6.3-rev46, 7.8.3-rev56, 7.8.4-rev52, 7.10.0-rev31, 7.10.1-rev12
Vendor notification: 2019-01-14
Solution date: 2019-05-13
Public disclosure: 2019-08-15
CVE reference: CVE-2019-11806
CVSS: 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Bundles that contain private keys and passwords for OX Drive related push services were deployed without proper file-system permissions. We also fixed default file-system permissions for related configuration files that potentially contain passwords set by the operator.

Risk:
A user with non privileged system-level access could access and extract the bundles (JAR files) and analyze their byte-code. From that its possible to extract both the private key for APN certificates as well as their encryption password and GCM key/secret pairs. Extracting this does not open a specific attack vector but we consider the information confidential and our handling did not adhere to our standards with that kind of information.

Steps to reproduce:
1. Use a non privileged user account to access an OX App Suite Middleware machine
2. Check file permissions for "driverestricted" bundles that contain secret keys and passwords

Solution:
We updated file-system level permissions for such bundles and configuration files.

Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    1 Files
  • 27
    Sep 27th
    1 Files
  • 28
    Sep 28th
    20 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close