Open-Xchange App Suite 7.8.1 Information Disclosure
Posted on 23 June 2016
Product: OX App Suite Vendor: OX Software GmbH Internal reference: 45328 (Bug ID) Vulnerability type: Information Exposure (CWE-200) Vulnerable version: 7.8.1 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev43, 7.6.3-rev11, 7.8.0-rev23, 7.8.1-rev10 Vendor notification: 2016-04-14 Solution date: 2016-05-10 Public disclosure: 2016-06-22 CVE reference: CVE-2016-4027 CVSS: 2.4 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Risk: Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a users account. Steps to reproduce: 1. Use token-login to forward a client with authentication credentials 2. Within the login string, set the "store" parameter to "false" 3. Observe the cookie settings for the client Solution: Users should always logout from their session when not using the application for a extended period of time. Operators and users can enable automatic log-out. Operators should deploy the latest Patch Release. Affected product: OX Guard Internal reference: 45292 (Bug ID) Vulnerability type: Information Exposure (CWE-209) Vulnerable version: 2.4.0 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed versions: 2.4.0-rev8 Vendor notification: 2016-04-13 Solution date: 2016-04-21 Public disclosure: 2016-06-22 CVE reference: CVE-2016-4028 CVSS: 4.4 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) Vulnerability Details: OX Guard uses an authentication token to identify and transfer guest users credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on wheather the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers for guess the correct padding. Risk: Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest users "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker. Solution: The API now delivers consistent responses regardless if the padding has been successfully guessed. This will mitigate the attack vector. Future releases may remove usage of AES-CBC to solve the root-cause completely. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45312 (Bug ID) Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.8.1 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-13 Solution date: 2016-05-10 Public disclosure: 2016-06-22 Researcher credits: Mohamed Khaled Fathy CVE reference: CVE-2016-4026 CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Attackers can use this issue for filter evasion to inject script code later on. Solution: Users should not open content from untrusted sources, to safeguard the client-side, HTTP headers like CSP can be set. Users should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45295 (Bug ID) Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.6.3 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-13 Solution date: 2016-05-10 Public disclosure: 2016-06-22 CVE reference: CVE-2016-4026 CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: In case the legacy AJP connector is used (available till 7.6.3), a specific error case can be used to execute script conde in the users context. A file needs to be uploaded to Drive and its MIME-Type needs to be altered in a way that it passes the syntax check but triggers an error while processing the download. In case of this event, the related error page reflects the file name to the requesting client. If a attacker has also renamed the file name in a way that it contains script code, that code gets executed. When using the recent Grizzly connector, this vulnerability does not occur since the response is part of the header. Even though we changed the code to avoid returning user input with HTTP headers when using Grizzly. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work. Solution: Users should not open links from untrusted sources, to safeguard the client-side, HTTP headers like CSP can be set. Users should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45401 (Bug ID) Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.8.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-19 Solution date: 2016-05-10 Public disclosure: 2016-06-22 CVE reference: CVE-2016-4045 CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work. Solution: Users should not subscribe to RSS feeds from untrusted sources and should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45363 (Bug ID) Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.8.0 and 7.8.1 Vulnerable component: documents frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-16 Solution date: 2016-05-10 Public disclosure: 2016-06-22 Researcher credits: Saeed Hashem CVE reference: CVE-2016-4045 CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/RC:C) Vulnerability Details: Users can add comments to documents in review mode. In case a user has set script code as first- or last-name, that code might get executed in the context of other users which work on "review" of the document at the same time. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work. Solution: Users should not open text documents from untrusted sources and should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45364 (Bug ID) Vulnerability type: Content Spoofing (CWE-451) Vulnerable version: 7.8.0 and 7.8.1 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.0-rev30 (backend), 7.8.0-rev23 (frontend), 7.8.1-rev11 Vendor notification: 2016-04-16 Solution date: 2016-05-10 Public disclosure: 2016-06-22 Researcher credits: Saeed Hashem CVE reference: CVE-2016-4048 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Risk: Users may get tricked to follow instructions injected by third parties as part of social engineering attacks. Solution: Users should not open links from untrusted sources or follow instructions regarding their credentials. We changed the behaviour in a way that the client is now required to provide a token in order to get a specific message shown at the login screen. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45386 (Bug ID) Vulnerability type: XML External Entity References (CWE-611) Vulnerable version: 7.8.1 and earlier Vulnerable component: documents backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev14, 7.6.3-rev3, 7.8.0-rev7, 7.8.1-rev8 Vendor notification: 2016-04-18 Solution date: 2016-05-10 Public disclosure: 2016-06-22 Researcher credits: Deepanker Chawla CVE reference: CVE-2016-4047 CVSS: 4.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N) Vulnerability Details: References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result a attacker can track access to a manipulated document. Risk: Usage of a document may get tracked and information about internal infrastructure may get exposed. Solution: Users should not open documents from untrusted sources. Operators shall restrict access to external resources on a network level. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45366 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.8.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-17 Solution date: 2016-05-10 Public disclosure: 2016-06-22 CVE reference: CVE-2016-4046 CVSS: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L) Vulnerability Details: The API to configure external mail accounts can be abused to map and acess network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existance of hosts and services can be gathered. Risk: Attackers can get internal configuration information about the infrastructure of a operator to prepare subsequent attacks. Solution: Operators shall restrict access to internal and external resources on a network level. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45402 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.8.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-19 Solution date: 2016-05-10 Public disclosure: 2016-06-22 CVE reference: CVE-2016-4046 CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L) Vulnerability Details: The API to configure RSS feeds can be abused to map and acess network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existance of hosts and services can be gathered. Risk: Attackers can get internal configuration information about the infrastructure of a operator to prepare subsequent attacks. Solution: Operators shall restrict access to internal and external resources on a network level. Operators should deploy the latest Patch Release. Affected product: OX App Suite Internal reference: 45405 (Bug ID) Vulnerability type: Uncontrolled Resource Consumption (CWE-400) Vulnerable version: 7.8.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11 Vendor notification: 2016-04-19 Solution date: 2016-05-10 Public disclosure: 2016-06-22 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: Configuring RSS feeds allows to provide an arbitrary URL to fetch feed data. Response checks make sure only valid XML gets processed but they do not apply limits to file size. As a result, processing of large XML resources can be triggered which leads to high resource usage and potentially reduces service availability. Risk: Attackers can reduce system availability and responsiveness. Solution: Operators should deploy the latest Patch Release. Best regards, Martin Heiland, Open-Xchange GmbH