Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.

Yours sincerely,
 Martin Heiland, Open-Xchange GmbH



Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 58880 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49
Vendor notification: 2018-06-05
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Unexpected "type" parameters of the "content" XML tag can be used to bypass our content sanitizer. In case users added malicious RSS feeds to OX App Suite or a legit RSS feed got taken over, this can be used to inject script-code to a users browser context.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a mailicious RSS feed
2. Make users subscribe to this feed using OX App Suite

Proof of concept:
<content></content>
<content type="tex/html"></content>
<content type="garbage"></content>

Solution:
In addition to the existing sanitizers, we added a frontend-level protection to avoid plain-text to be executed as script code.

---

Internal reference: 58874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev5, 7.8.3-rev7, 7.6.3-rev4
Vendor notification: 2018-06-05
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12609
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
Using specific XML tags within Powerpoint presentations can be used to trigger network requests on the server side while converting the document.

Risk:
Internal network endpoints can be accessed and their default response is being exposed to the attacker. Attackers can use timing attacks and response information to discover valid network services for reconnaissance.

Steps to reproduce:
1. Create a mailicous PPTX file
2. Upload this file to OX App Suite
3. Trigger a document preview on the file

Proof of concept:
<Relationship
TargetMode="External"
Target="http://localhost:8008/documentconverterws?action=convert&amp;url=http://localhost:8008/documentconverterws&amp;targetformat=png"
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
Id="rId3">


Solution:
In addition to blocking file-system level access, we're now blocking all kinds of external references when processing XML when convering documents.


---


Internal reference: 58282 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39
Vendor notification: 2017-04-25
Solution date: 2018-06-25
Public disclosure: 2018-31-12
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
A API endpoint meant for monitoring purposes can be used to reflect HTTP headers and by that script code. To exploit this, the user needs to follow a hyperlink on a malicious website.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Upload and share a snippet of bare JS code (no tags) to OX App Suite
2. Create a malicious website that redirects to "TestServlet"
3. Make the user follow a hyperlink that contains script code as URL parameter
4. The URL parameters content will be reflected as "referer" header by "TestServlet"

Proof of concept:
https://www.example.com/referer.html?<script/src=/appsuite/api/files/alert.json?action=document&folder=10&id=10%2F215&delivery=view></script/>

Solution:
We removed any reflected HTTP headers from TestServlet.

---

Internal reference: 58256 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39
Vendor notification: 2018-04-24
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Font prefix information can bypass our sanitizers and returned as HTML content when using specific combinations of brackets and quotes.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a HTML mail with malicious content like images with font parameters applied through CSS
2. Make a App Suite user open that mail

Proof of concept:
<p><img src=x style=font:"'onerror='{font:alert(document.cookie)}></p>
<p><img src=x style=font:"'onerror=alert(document.cookie),{></p>

Solution:
We now block font prefix information in case malformed font attributes are detected.

---

Internal reference: 58226 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33
Vendor notification: 2018-04-20
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
A URL parameter can be used to inject fake "themes" to user settings. If a users follows such a malicious link, script code is being executed.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a hyperlink containing the "theme" parameter, which refers to a URL containing script code
2. Make a user follow this link

Proof of concept:
https://example.com/appsuite/#!!&app=io.ox/files&folder=9&theme=../../../0%22%2Balert(document.cookie)%2B%22

Solution:
We added frontend sanitization to this kind of parameters as they are not processed by our sanitizers.

--

Internal reference: 58161 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev43
Vendor notification: 2018-04-16
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
The "forgot password" link shown at the login page can be modified by using URL parameters. In case users are following forged links, script code can be injected there.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a hyperlink containing the "forgot-password" parameter, which refers to a script code using URI scheme
2. Make a user follow this link

Proof of concept:
https://example.com/appsuite/#!!&forgot-password=javascript:alert(1)

Solution:
We removed usage of this URL parameter so it will not be reflected anymore.

--

Internal reference: 58096 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33
Vendor notification: 2018-04-11
Solution date: 2018-06-25
Public disclosure: 2018-12-31
Researcher Credits: Secator
CVE reference: CVE-2018-12611
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
HTML mails can contain "mailto:" hyperlinks with body parameters that make TinyMCE create E-Mails with HTML elements. These elements can contain script code which is being executed if the user interacts with those elements.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a HTML mail with a hyperlink that points to a mailto: resource and contains script code
2. Make a user follow this link and then click the injected HTML element

Proof of concept:
mailto:aaa?body=%3Cselect%20onchange%3D%22alert(document.cookie)%22%3E%3Coption%3E2%3C%2Foption%3E%3Coption%3E2%3C%2Foption%3E%3C%2Fselect%3E

Solution:
We now sanitize HTML content which gets pasted to the HTML editor through "mailto:" links.

--

Internal reference: 58051 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49
Vendor notification: 2018-04-09
Solution date: 2018-06-25
Public disclosure: 2018-12-31
CVE reference: CVE-2018-12610
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
People which get access to (public) sharing links are able to request the share owners E-Mail address, even though its not required to make sharing work.

Risk:
Semi-confidential information is being exposed unexpectedly to external entities. This can be used to run targetted spam and malware attacks.

Steps to reproduce:
1. Create a share of files, calendar etc. and forward this link to the public or another person
2. Open the share link and run a "list" call of the user API and iterate through user IDs

Proof of concept:
PUT /appsuite/api/user?action=list&columns=1%2C20%2C500%2C501%2C502%2C505%2C524%2C555%2C606%2C614&session=xxx
[3]

<!DOCTYPE html><html><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><script type="text/javascript">(parent["callback_yell"] || window.opener && window.opener["callback_yell"])({"data":[[6,6,"useruser\"><img>, =8*8","=8*8","useruser\"><img>",null,6,"user@example.com",null,-1,null]],"timestamp":1523086065259})</script></head></html>

Solution:
We removeed user e-mail addresses when responding to API calls triggered by (anonymous) guests.

--

Internal reference: 58029 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.4 and 7.8.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev34, 7.8.3-rev49
Vendor notification: 2018-04-06
Solution date: 2018-06-25
Public disclosure: 2018-12-31
CVE reference: CVE-2018-12610
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
In case sessions to access shares are active they will not be terminated in case the owner of the share modifies the shares pasword or lifetime.

Risk:
Existing user sessions have access to shares which security level has been upgraded or which are not meant to be accessible by the previous set of users.

Steps to reproduce:
1. Open or login to a share
2. As owner of the share, modify the shares password
3. Use the API to request shared data using the previously authenticated session

Proof of concept:
https://example.com/appsuite/api/files?action=zipfolder&folder=851&recursive=true&session=xxx

Solution:
We now terminate all active sessions for guests that have access to a share in case that shares password was modified.