Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents Vendor: OX Software GmbH Internal reference: MWB-423 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.4-rev9 Vendor notification: 2020-06-26 Solution date: 2020-09-23 Public disclosure: 2021-01-07 Researcher Credits: Stuart Redman CVE reference: CVE-2020-24700 CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) Vulnerability Details: The oAuth Proxy capability, used to exchange data with third-party services such as Twitter, can be abused to craft requests to services which are prohibited. These services may reside within a protected network and could be exposed using this technique. The code to check for allowed domains did not account for certain URL constructs. Risk: Malicious users can trigger network requests to web services outside of the expected trust boundary, for example services within a restricted network to which the OX App Suite middleware node has access. In case such services do not have further access control, a malicious user could retrieve web service content from them. The vulnerability allows to control request type and headers sent to those services. Steps to reproduce: 1. Connect your OX App Suite account to an oAuth-enabled service like Twitter 2. Forge API requests via /api/oauth/proxy containing payload related to internal services 3. API response will contain an error but also the retrieved content for the internal service Proof of concept: PUT https://example.com/appsuite/api/oauth/proxy?api=com.openexchange.oauth.twitter&session=XYZ {"url":"https://[email protected]","params":{"count":10,"include_entities":true}} Solution: We have improved detection of user-provided payload when checking against access lists. Regardless of this fix we suggest tight network segmentation, egress traffic filtering and access controls for any kind of service. --- Internal reference: MWB-460 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.4-rev9 Vendor notification: 2020-07-07 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24700 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: External mail account discovery allows malicious users to append arbitrary URL paths to mail addresses. In combination with malicious auto-configuration DNS records, this can be abused to access web services outside of the expected trust boundary, regardless of existing blocklists. Risk: Malicious users can trigger network requests to web services outside of the expected trust boundary, regardless of existing blocklists. This may be used to probe for services and paths within a restricted network to which the OX App Suite middleware node has access and potentially ease further attacks. Steps to reproduce: 1. Setup a DNS A record for autoconfig.example.com, pointing to a local addresses like 127.0.0.1 2. Use the "external mail account" feature to setup a mail account for this domain 3. Append URL paths to the mail address, e.g. [email protected]/ssrf/ping Proof of concept: DNS lookup will return "127.0.0.1" and OX App Suite will append the URL fragment of the mail address, resulting in a GET request to http://127.0.0.1/ssrf/[email protected]. Solution: We restricted the ability to access blocked networks when performing autoconfig lookups. --- Internal reference: MWB-492 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.4-rev9 Vendor notification: 2020-07-20 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The "debug" option for the /apps/manifests endpoint included request parameters in its response, without using HTML escaping. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Create a link to the /apps/manifest endpoint using the debug option and append malicious script code 2. Make a user open this link, for example through social engineering Proof of concept: https://example.com/ajax/apps/manifests?action=all&format=debug&xss=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E Solution: We now escape any user-provided content when creating the debug response. --- Internal reference: MWB-493 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.4-rev9 Vendor notification: 2020-07-20 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The logic for determining safe content could be bypassed by providing unknown values for content-disposition while requesting a shared file. In case the file contained malicious script code, this would be executed. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Create a HTML file with malicious JS code and upload it to Drive 2. Create a public sharing link 3. Modify this link to contain a unexpected content_disposition parameter value 4. Make the victim follow this link Proof of concept: https://example.com/ajax/share/<share-token>?delivery=view&content_disposition=foo Solution: We improved the detection mechanism to neglect user-specified parameter values. --- Internal reference: MWB-494 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.4-rev9 Vendor notification: 2020-07-21 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Include malicious script code within external content like a vcard file 2. Attach this file to a mail and use the conversion API to create a managed distributed file 3. Find out the UUID reference to this managed "distributedFile" 4. Make the victim open this direct reference as hyperlink Solution: We now require user-specific authentication to access this API endpoint and request managed distributed files. --- Internal reference: MWB-520 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.4-rev9 Vendor notification: 2020-07-30 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Binary files could be requested for "inline" delivery, which results in content processing within the browser. This allows to inject and execute script code within a "binary" file. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Craft a malicious HTML/JS file, upload it to Drive as binary content (application/octet-stream or similar) 2. Create a sharing link and modify its "delivery" parameters 3. Make a victim follow this link Solution: We removed the undocumented parameter from requests to shared content. --- Internal reference: MWB-583 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev55, 7.10.3-rev22, 7.10.4-rev9 Vendor notification: 2020-08-31 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: File names of inline images are not escaped or sanitized when creating a raw representation of the mail content, for example when displaying huge HTML mails through "Show entire message" Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Craft a large HTML E-Mail and include inline images 2. Chose a inline image filename that contains urlencoded script code 3. Send the mail to the victim and make it click "Show entire message" Solution: We now HTML-escape inline image file names when adding them as HTML attribute. --- Internal reference: OXUIB-400 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.4-rev8 Vendor notification: 2020-08-13 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Error responses for loading frontend apps were not properly escaped, which allows malicious users to inject script code. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Construct a URL pointing to the app loading mechanism 2. Include malicious JS code within this link 3. Make a victim open the link Proof of concept: https://example.com/appsuite/#!!&app=io.ox/files:foo,xx/../../xxx";);alert("XSS");// Solution: We now escape error responses when loading an app fails. --- Internal reference: OXUIB-401 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.4-rev8 Vendor notification: 2020-08-07 Solution date: 2020-09-23 Public disclosure: 2021-01-07 Researcher Credits: notoriousrip CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: A special "mail://" URL handler is used to allow back-links from tasks to E-Mail, in case a task was created as "reminder" for a mail. Contents of this URL would not be properly sanitized and added to the "notes" section of tasks. Attackers in a position to create such malicious tasks could place script code within that URL. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to interact with malicious tasks either shared within the same context or manually imported. Steps to reproduce: 1. Craft a malicious task, containing script code as "Note" 2. Make the user import the task or share it within the same context 3. Make the user interact with the tasks note Proof of concept: mail://hello"onmouseover=alert(document.cookie)\;"@example.com Solution: We now sanitize task notes before adding them to DOM. --- Internal reference: OXUIB-411 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev20, 7.10.4-rev11 Vendor notification: 2020-08-18 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Data like names of contacts could contain script code. When using the mobile mode (e.g. on a smartphone) and searching for contacts, this script code would be appended to DOM in an unsafe way without sanitzing its content. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to interact with malicious content either shared within the same context or manually imported. Steps to reproduce: 1. Create or import a contact with script-code as name 2. In mobile mode, use search and look up that contact Solution: We use DOMPurify to clean up values before using them as search results in mobile mode. --- Internal reference: OXUIB-412 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev19, 7.10.4-rev8 Vendor notification: 2020-08-18 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Data like the location of appointments could contain script code. When using the mobile mode (e.g. on a smartphone) and searching for appointments, this script code would be appended to DOM in an unsafe way without sanitzing its content. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to interact with malicious content either shared within the same context or manually imported. Steps to reproduce: 1. Create or import a appointment with script-code as location 2. In mobile mode, use search and look up that appointment Solution: We use DOMPurify to clean up values before using them as search results in mobile mode. --- Internal reference: OXUIB-421 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev19, 7.10.4-rev8 Vendor notification: 2020-08-20 Solution date: 2020-09-23 Public disclosure: 2021-01-07 CVE reference: CVE-2020-24701 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Data like subjects of tasks could contain script code. When using the mobile mode (e.g. on a smartphone) and searching for tasks, this script code would be appended to DOM in an unsafe way without sanitzing its content. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to interact with malicious content either shared within the same context or manually imported. Steps to reproduce: 1. Create or import a task with script-code as subject 2. In mobile mode, use search and look up that task Solution: We use DOMPurify to clean up values before using them as search results in mobile mode.
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
