-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 66094 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.1 and 7.10.2 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9 Vendor notification: 2019-07-08 Solution date: 2019-08-09 Public disclosure: 2019-10-09 Researcher Credits: mantis CVE reference: CVE-2019-14225 CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L) Vulnerability Details: The subscription mechanism for external iCal event sources follows HTTP redirection codes. Risk: Requests can be redirected to internal network targets if the attacker controls and injects redirect codes from the supposed iCal event source. Checking the content of the returned errors and their timing allows to gather information about internal network topology and services. This can be used as a reconnaissance pattern for further attacks. Steps to reproduce: 1. Create a webservice that redirects HTTP requests to internal hosts 2. Configure that webservice as target of "external calendar" sources 3. Check response patterns when altering the redirection target Solution: We disabled HTTP redirection at the responsible HTTP client component. --- Internal reference: 66081 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.1 and 7.10.2 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev30, 7.10.1-rev16, 7.10.2-rev7 Vendor notification: 2019-07-08 Solution date: 2019-08-09 Public disclosure: 2019-10-09 Researcher Credits: Manas Gupta CVE reference: CVE-2019-14227 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Calendar print view (for week, months) executes script code that is part of an appointments title. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). For this to work an attacker needs to inject a malicious appointment to the victims calendar first, for example through a seemingly legitimate calendar invite or by being part of the same context. Steps to reproduce: 1. Create a appointment with script code fragments as title 2. Open "View" -> "Print" at a calendar view and cancel the native print dialog Proof of concept: <iframe/onMouseOver="document.location.href='https://example.com/ox.png'"> Solution: We fixed the template engines escaping routines. --- Internal reference: 66025 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.1 and 7.10.2 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.1-rev16, 7.10.2-rev7 Vendor notification: 2019-07-04 Solution date: 2019-07-30 Public disclosure: 2019-10-09 Researcher Credits: Michael Medvedev CVE reference: CVE-2019-14227 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Appointment dialogs contain a folder selector which is not properly escaping folder names. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). For this to work an attacker needs to modify a calendar folder within the same context or trick the user to do so. Steps to reproduce: 1. Change a calendar folder to contain script code (or change the users name accordingly) 2. Edit or create a new appointment Proof of concept: ayb"><img src=x onerror=alert(document.domain)> Solution: We now escape folder names at this part of the dialog. --- Internal reference: 65805 (Bug ID) Vulnerability type: Information Exposure (CWE-200) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev60, 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9 Vendor notification: 2019-06-24 Solution date: 2019-08-09 Public disclosure: 2019-10-09 Researcher Credits: hd7exploit CVE reference: CVE-2019-14226 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Information about external sharing URLs is provided to users that have non-administrative permissions to a folder. Risk: Other users could discover sharing links and use that to keep access to a folders content even though permissions has been revoked for them at a later point in time. Steps to reproduce: 1. As User A, create a sharing link for a folder (e.g. Calendar) and invite internal User B with "Viewer" permissions 2. As User B, check the responses of "folder?action=get" for shared folders Proof of concept: The response contains a "share_url" parameter Solution: We removed the paramter from API responses for users that don't have access to modify it (administrative permissions). --- Internal reference: 65799 (Bug ID) Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev60, 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9 Vendor notification: 2019-06-24 Solution date: 2019-08-09 Public disclosure: 2019-10-09 Researcher Credits: hd7exploit CVE reference: CVE-2019-14226 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) Vulnerability Details: The attachment API allows to add attachments to tasks which are marked as "private" by their owner, in case the other user has permission to the task folder. Risk: Other users could unexpectedly add (malicious) content to tasks. Creators of those "private" tasks would not expect other users to be able to do so as those users are unable to access the task. Steps to reproduce: 1. As User A, create "private" task and share the containing folder to User B 2. As User B, iterate through task IDs and try to attach files Proof of concept: The "attachment?action=attach" call allows to add attachments for tasks that are marked as "private" and not available to the user. Solution: We improved permission handling for the attachment API when dealing with "private" tasks. --- Internal reference: 65722 (Bug ID) Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 7.10.1 and 7.10.2 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev33, 7.10.1-rev17, 7.10.2-rev9 Vendor notification: 2019-06-18 Solution date: 2019-08-09 Public disclosure: 2019-10-09 Researcher Credits: hd7exploit CVE reference: CVE-2019-14226 CVSS: 2.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N) Vulnerability Details: The API allows to change the visibility of appointments within shared folders, even though the user interface does not provide that option. Risk: Other users than the creator might change appointment visibility, which is unexpected. This is more of a cosmetical issue as it requires elevated permissions. Steps to reproduce: 1. As User A, create an appointment and share the containing folder to User B with "author" permissions 2. As User B, modify the appointments visibility through API calls Proof of concept: Call "chronos?action=update" for an appointment created by User A and set the "class" parameter to "PRIVATE". Solution: We did adjust API handling to avoid other users than the creator of an appointment to modify its visibility. -----BEGIN PGP SIGNATURE----- Version: BCPG v1.62 iQIcBAABCgAGBQJdncMRAAoJEAJhPBDDBiJjuRoP/A01J+aTl+r91xF+iAiZma5Q 8V9hN6IV7ycexUqCbQwQ5Nr+Bqu+hCuiXQUqtSUy+0D4QLvZu8psVTMb8JFjSHTn UF5kv4ldkDPO174srPvL5xBMiY2F5H+kRBQjTitCHHhE7lPdGUcAL0JICaKg60NR 4G/UJF1XTlCJ8mU0SBJllsx8wFXq5WqrwZfQskRtiBgTetcYGIb/13dI9ekNu52O OmKHRa8z+j68DGGKpw7hDx535WAOMy1ovdhV/HL4yeiDmYX41isYKtaGHfPsTUxa lt7VdwAkOEWszb5AnKJJx0Gef7oxtLDafuMqQtIAVaxLTYmJGUpxz+fZPxXDMuR0 AYGeWGptDceZ8SMUO5n69ICT1+cwtqAnCce6aVFGuyl4vkbqMSbKoQ5SpbuY8pZ7 785Yv4DcoUJ3w9h2rOIiQ15A6MdCx5D0hRKfNiRV12uPEDQ4N7C4vcIhL2bBFVdO dMltJtIz9Fk8pVAeUDriOH77/Cihx5VhTEf4LKtKQHB0ttbkNBqqI7sNYDy09T5F VfLVPHwajPj+HJkKYtj8wq1kOpqWKXiAfG9DkECXIJzq+5E1NS2PlPPB5gTEyDUH b+f+ucUDAhxjbqyhJde9ciI4+sWgX4GUOYMoQ9eCrEBpxuuVZseRn+QDrugxCPEQ K50WE4Ml541v+yyYJ6UJ =1dxs -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
