Open-Xchange Security Advisory (multiple vulnerabilities)

Multiple security issues for Open-Xchange Server 6 and OX AppSuite have been discovered and fixed. The vendor has chosen a responsible full disclosure method to publish security issue details. Users of the software have already been provided with patched versions. German law prohibits to provide code that may be used by attackers, therefor no PoC or working code is available within this advisory.

Proof regarding the authenticity of these issues can be obtained from the published release notes:
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1419_6.20.7-rev18_2013-05-09.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1420_6.22.0-rev16_2013-05-09.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1421_6.22.1-rev19_2013-05-09.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1422_7.0.1-rev7_2013-05-09.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1423_7.0.2-rev11_2013-05-09.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1424_7.2.0-rev8_2013-05-09.pdf

Product: Open-Xchange Server 6, OX AppSuite
Vendor: Open-Xchange GmbH

***********************

Internal reference: 25957
Vulnerability type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-17
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 4.8 (AV:N/AC:L/AU:N/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Embedded VBS (Visual Basic Script) code at HTML content does not get sanitized and may be executed at the users client.

Risk:
Embedded VBS code can be executed in the context of a user of the OX6 or AppSuite web interface. This affects Internet Explorer users with default browser security settings. Other browsers may be affected too, if VBS plugins are installed.

Solution:
Switch to a non-VBS compatible browser like Chrome, Firefox, Safari
Use spam filtering mechanisms that block or filter VBS content
Note: Disabling VBS execution at a browser level of Internet Explorer will also disable JavaScript execution which is mandatory to use OX web interfaces.
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.

***********************

Internal reference: 26237
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-27
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Cross site scripting can be performed when using forged "object/data" entities within HTML code. This object/data may contain harmful base64 encoded content that gets executed by certain browsers.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)

Solution:
Avoid opening hyperlinks from untrusted source
Avoid using content that may contain script code (e.g. HTML attachments)
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.

***********************

Internal reference: 26243
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-29
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Cross site scripting can be performed when using forged content-type header parameters within a URL call.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)

Solution:
Avoid opening hyperlinks from untrusted sources
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.

***********************

Internal reference: 26244
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 7.2.0-rev7 and earlier
Vulnerable component: backend
Fixed version: 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-04-29
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Cross site scripting can be performed when using forged URL calls forcing the UTF-16 charset. Existing checks fail since the content does not match the usual UTF-8 pattern.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)

Solution:
Avoid opening hyperlinks from untrusted sources
Users should update to the latest patch releases 6.20.7-rev18, 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.

***********************

Internal reference: 26373
Vulnerability Type: Cross Site Scripting
Vulnerable versions: 6.22.0 to 7.2.0-rev7
Vulnerable component: backend
Fixed version: 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8
Solution status: Fixed by Vendor
Vendor notification: 2013-05-03
Solution date: 2013-05-14
Public disclosure: 2013-06-03
CVE reference: CVE-2013-3106
CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Embedded script code at HTML content does not get sanitized and executed at the users client when using the "delivery=view" call. While this call is actively used by OX AppSuite but not OX6 UI, the backend offers this call since 6.22.0.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)

Solution:
Avoid opening hyperlinks from untrusted sources
Users should update to the latest patch releases 6.22.0-rev16, 6.22.1-rev19, 7.0.1-rev7, 7.0.2-rev11, 7.2.0-rev8.