Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne and soon at YesWeHack.
Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: OXUIB-1654 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16 Vendor notification: 2022-05-23 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-31469 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. PoC: <a class="deep-link-app" href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123";> Solution: We improved deep-link validation to avoid malicious use. --- Internal reference: OXUIB-1678 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3 Vendor notification: 2022-05-30 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37307 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account. PoC: <![CDATA[ <bo<script></script>dy>AA<img src onerror="alert('XSS')">BB</body> ]]> Solution: We improved the sanitizing algorithm to deal with disguised code. --- Internal reference: OXUIB-1731 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3 Vendor notification: 2022-06-22 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37308 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail. PoC: ... Content-Type: text/plain <img src onerror="alert('XSS')"> Solution: We removed plain-text specific code and use existing sanitization mechanisms for HTML content. --- Internal reference: OXUIB-1732 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4 Vendor notification: 2022-06-22 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37309 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data. Solution: We now apply proper HTML escaping to all relevant data sets. --- Affected product: OX App Suite Internal reference: OXUIB-1785 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4 Vendor notification: 2022-07-20 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37310 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances. PoC: https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t%3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(""%2b{})[$$f]%2b(""%2b{})[$f]%2b(""%2b[][f])[$f]%2b"f"[f$]%2b"t"[$$]%2b"t"[$f]%2b"t"[$t]%2b(""%2b{})[$$f]%2b"t"[$$]%2b(""%2b{})[$f]%2b"t"[$f];$$$%3d[][$t$][$t$];$$$("$$$('"%2b'\\'%2b$f%2bt$%2b$f%2b'\\'%2b$f%2b$$f%2bt$%2b'\\'%2b$f%2bt$%2b$$f%2b'\\'%2b$f%2b$$t%2b$t%2b'\\'%2b$f%2b$$t%2bt$%2b'('%2b'"'%2b'\\'%2b$f%2bf$%2b$$%2b'\\'%2b$f%2b$t%2bf$%2b'\\'%2b$f%2b$t%2bf$%2b'"'%2b')'%2b"')();")()})() Solution: We sanitized any non-parsable characters from the capabilities input. --- Internal reference: MWB-1712 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.6 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4 Vendor notification: 2022-07-14 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37313 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response. Risk: Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. PoC: Use API calls to setup an external mail account and provide a attacker controlled domain that returns more than one record. Only the first record will be checked against the deny-list, but the second record may also be used afterwards. Solution: We improved the analysis of DNS responses and check all available records against deny-list entries. --- Internal reference: MWB-1713 Vulnerability type: Uncontrolled Resource Consumption (CWE-400) Vulnerable version: 7.10.6 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3 Vendor notification: 2022-07-14 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37312 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes. Risk: Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication. PoC: Sending a large request body containing a "redirect" URL to the "deferrer" servlet. Solution: We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage. --- Internal reference: MWB-1714 Vulnerability type: Uncontrolled Resource Consumption (CWE-400) Vulnerable version: 7.10.6 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3 Vendor notification: 2022-07-14 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37311 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes. Risk: Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication. PoC: Sending a large "location" request parameter to the "redirect" servlet. Solution: We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
![https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123"](https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123"){kind=link}