Home page logo
/

bugtraq logo Bugtraq mailing list archives

Open-Xchange Security Advisory 2013-04-17
From: Martin Braun <martin.braun () open-xchange com>
Date: Wed, 17 Apr 2013 09:51:42 +0200 (CEST)

Open-Xchange Security Advisory (multiple vulnerabilities)


Multiple security issues for Open-Xchange Server 6 and OX AppSuite have been discovered and fixed. The vendor has 
chosen a responsible full disclosure method to publish security issue details. Users of the software have already been 
provided with patched versions. German law prohibits to provide code that may be used by attackers, therefor no PoC or 
working code is available within this advisory.

Proof regarding the authenticity of these issues can be obtained from the published release notes:
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1381-2013-04-04.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1378-2013-04-04.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1379-2013-04-04.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1376_2013-04-04.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1377-2013-04-04.pdf

Product: Open-Xchange Server 6, OX AppSuite
Vendor: Open-Xchange GmbH

***********************

Internal reference: 25140
Vulnerability type: HTTP Header Injection
Vulnerable versions: 6.22.0-rev1 to 7.0.2-rev6
Vulnerable component: backend
Fixed version: 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution status: Fixed by Vendor
Vendor notification: 2013-03-04
Solution date: 2013-04-04
Public disclosure: 2013-04-17
CVE reference: CVE-2013-2582
CVSSv2: 6.2 (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The redirect servlet of the application uses the location variable, that specifies which URL a user gets redirected to. 
The application performs various replacements to protect a user against HTTP Header Injection. However, these 
replacements can be used by an attacker to create a situation where the replace-procedure creates a redirection string. 
When passing an encoded URL to the location parameter of the "redirect" servlet, null-characters (like “%0d”) are 
replace by a empty string (“”) and effectively creates the sequence (“//”) which is interpreted by the browser as 
“http://”

Risk:
Users may be tricked to visit a malicious website embedded to a trustworthy URL.


Solution:
The URL passed through the "location" parameter of the "redirect" servlet gets checked more carefully and always 
generates a relative URL.
Users should update to the latest patch releases 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25321
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The infostore module allows storing and sharing items that contain URLs. These URL can be used to execute JS code when 
clicking the "URL" since "javascript:" is allowed as protocol.

Risk:
Shared infostore items may contain malicious code that may be executed by other users. An attacker can access several 
authentication information.


Solution:
"javascript:" is not longer allowed as protocol prefix when creating infostore URL links.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25341
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
HTML files that got uploaded to the infostore may contain carefully crafted script code that exploits existing security 
checks to generate new malicious code.
Non-working example: <scr<script><!--</script><script>-src=<malicious code></script/>

Risk:
Malicious HTML files with embedded JS can be shared to other users to obtain authentication information or execute 
operations within the context of the victim.


Solution:
Repetitive application of sanitizing steps is performed to filter all malicious code and avoid code forging.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25342
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
HTML content can be stored as mail signature. That content may contain carefully crafted script code that exploits 
existing security checks to generate new malicious code.

Risk:
Malicious JS code can be embedded to a users signature to obtain authentication information or execute operations 
within the context of the victim.


Solution:
Repetitive application of sanitizing steps is performed to filter all malicious code and avoid code forging.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25343
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Using a forged image file of a specific size can be used to execute script code. To prevent malicious usage, a 
magic-byte and content check is performed for the first 2048 Bytes of an image. If the malicious code is appended to 
the image or beyond the first 2048 Bytes, it's executed when calling it via a crafted URL.

Risk:
Malicious JS code can be embedded to a contact image to obtain authentication information or execute operations within 
the context of the victim. Contacts with malicious image content can be shared to other users.


Solution:
The whole image file is checked more carefully for malicious code and valid image data before accepting the upload.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************


  By Date           By Thread  

Current thread:
  • Open-Xchange Security Advisory 2013-04-17 Martin Braun (Apr 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]