Product: OX App Suite
Vendor: Open-Xchange GmbH


Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: frontend
Fixed version: 7.4.2-rev33, 7.6.0-rev16
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-19
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5235
OX bug reference: 33620
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
CDATA encapsulated script code within certain fields of a RSS feeds gets executed by the frontend.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Solution:
RSS feeds now get sanitized more carefully. Users should update to the latest patch releases. Users should avoid integrating untrusted or suspicious RSS feeds.



Vulnerability type: Absolute Path Traversal (CWE-36)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5236
OX bug reference: 33834
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Crafted OLE Objects within OpenDocument Text files can be used to reference objects with absolute or relative paths. By using further modifications to the documents XML structure, existing security functions of the LibreOffice backend get bypassed. As a result, the referenced file gets included from the servers file system.

Risk:
Attackers may read configuration files located at the server where documentconverter is deployed. Since documentconverter runs with reduced permissions, this is valid for all files that can be read by the user group "open-xchange".

Solution:
A black- and whitelist has been introduced to control file access. Users should update to the latest patch releases.



Vulnerability type: Absolute Path Traversal (CWE-36)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5236
OX bug reference: 33835
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Crafted images within OpenDocument Text files can be used to reference objects with absolute or relative paths. As a result, the referenced file gets included from the servers file system.

Risk:
If an attacker knows the correct path to image files at the server where documentconverter is deployed, those can be made available to the attacker. Usually no security-related images are stored within deployments. Content of the OX Drive storage could be referenced but since the storage is separated to context- and user-bucket specific, hashed paths, it's unlikely for an attacker to successfully referencing such files. Including many files may pose a risk of denial-of-service attacks, though.

Solution:
A black- and whitelist has been introduced to control file access. Users should update to the latest patch releases.



Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5237
OX bug reference: 33836
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 4.4 (AV:N/AC:L/Au:M/C:P/I:N/A:N/E:F/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Text documents allow embedding remote images, based on URLs provided by the document creator. When editing such a document within OX Text, the image gets requested by the users client, which is fine. However, when rendering previews of such images, the file gets requested by the server, introducing a SSRF attack vector.

Risk:
Malicious documents could be used to fetch lots of images from a specific host, leading to denial-of-service attacks. Also, content may get fetched from legally questionable sources, potentially putting the operator of the documentconverter into legal trouble.

Solution:
Outbound traffic of a documentconverter deployment should be controlled on a network level, if an operator does not wish to let users include external resources and use them when generating document previews. Users should update to the latest patch releases. A new black- and whitelist has been introduced to control access to remote resources.



Vulnerability type: Improper Restriction of Recursive Entity References in DTDs (CWE-776)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: office
Fixed version: 7.4.2-rev11, 7.6.0-rev9
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5238
OX bug reference: 33838
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Since OpenDocument Text documents are XML files, external entities may get included to these files. The XML parser tries to resolve these external entities by expanding them (XEE), for example including files or running specific XML parser functions. There are several attack vectors, for example including local files from the OX Text deployment or creating malicious documents that use exponential entity expansion (XEEE). Such exponential entities can be used to create huge documents based on very few lines of XML code.

Risk:
By using an XEE attack, introducing the XML "SYSTEM" entity and absolute or relative paths, the referenced file gets included from the servers file system. As a result, the whole file is visible at the OX Text editor. XEEE attacks can be used to run denial-of-service attacks to the deployment by creating vastly complex XML files that take a lot of time to process.

Solution:
DOCTYPE within ODT files is now forbidden and therefor external or special entities cannot get included anymore. Users should update to the latest patch releases.



Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Fixed version: 7.4.2-rev33, 7.6.0-rev16
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5234
OX bug reference: 33839
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Arbitrary script code can be used as folder publication name, leading to code execution at clients that display such publications.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Solution:
Publications now get sanitized more carefully. Users should update to the latest patch releases.