{"packetstorm": [{"lastseen": "2019-08-17T21:00:56", "description": "", "published": "2019-08-16T00:00:00", "type": "packetstorm", "title": "Open-Xchange OX App Suite Content Spoofing / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11522", "CVE-2019-11521", "CVE-2019-11806"], "modified": "2019-08-16T00:00:00", "id": "PACKETSTORM:154128", "href": "https://packetstormsecurity.com/files/154128/Open-Xchange-OX-App-Suite-Content-Spoofing-Cross-Site-Scripting.html", "sourceData": "`Dear subscribers, \n \nwe're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne. \n \nYours sincerely, \nMartin Heiland, Open-Xchange GmbH \n \n \n \nProduct: OX App Suite \nVendor: OX Software GmbH \n \nInternal reference: 64680 (Bug ID) \nVulnerability type: Content Spoofing (CWE-451) \nVulnerable version: 7.10.1 \nVulnerable component: frontend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.1-rev12 \nVendor notification: 2019-04-15 \nSolution date: 2019-05-09 \nPublic disclosure: 2019-08-15 \nResearcher Credits: zee_shan \nCVE reference: CVE-2019-11521 \nCVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \nVulnerability Details: \nAppointment titles are rendered as hyperlink but were missing a protection against \"tab nabbing\". \n \nRisk: \nWhen following a hyperlink to a malicious website, the original tab location (OX App Suite) could be replaced with a URL chosen by the attacker. This can be exploited to trick users to re-enter credentials to a seemingly legitimate website and as a result take over accounts. \n \nSteps to reproduce: \n1. Create a appointment invitation that contains a link to a malicious website including a blank \"target\" attribute \n2. Make the user accept the invitation and click the hyperlink at the appointments title \n3. Provide a effective exploit to overwrite the users original URL and fake a login page \n \nProof of concept: \nAppointment title content: \n<a href=\"//www.evil.com/window.html\" target=\"_blank\">Click Me! :-) \n \nPayload: \n<script> \nwindow.opener.location.replace('//www.evil-fakelogin.com/'); \n</script> \n \n \nSolution: \nWe extended the usage of existing protection mechanisms (blankshield) to this case. \n \n \n--- \n \n \nInternal reference: 64682 (Bug ID) \nVulnerability type: Cross-Site Scripting (CWE-80) \nVulnerable version: 7.10.0 and 7.10.1 \nVulnerable component: frontend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.0-rev31, 7.10.1-rev12 \nVendor notification: 2019-04-15 \nSolution date: 2019-05-13 \nPublic disclosure: 2019-08-15 \nResearcher Credits: zee_shan \nCVE reference: CVE-2019-11522 \nCVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \nVulnerability Details: \nWhen replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly \"fix\" HTML content as demonstrated by @kinugawamasato for Google Search. \n \nRisk: \nMalicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). \n \nSteps to reproduce: \n1. Create an E-Mail with malicious content and deliver it to the user \n2. Make the user \"reply\" to the E-Mail \n \nProof of concept: \nTest \n<noscript><p class=\"xss\">Another XSS! \n<!-- --! \n> <img src=x onerror=alert(document.domain)> \n \n \nSolution: \nWe improved our filter and whitelisting mechanisms to block this kind of code from entering the browsers rendering engine. \n \n \n--- \n \n \nInternal reference: 64703 (Bug ID) \nVulnerability type: Cross-Site Scripting (CWE-80) \nVulnerable version: 7.10.1 \nVulnerable component: frontend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.1-rev12 \nVendor notification: 2019-04-15 \nSolution date: 2019-05-13 \nPublic disclosure: 2019-08-15 \nResearcher Credits: zee_shan \nCVE reference: CVE-2019-11522 \nCVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \nVulnerability Details: \nWhen opening a embedded HTML E-Mail, sanitization mechanisms were not active. \n \nRisk: \nMalicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). \n \nSteps to reproduce: \n1. Create an E-Mail with malicious content and embed/attach it to another E-Mail \n2. Make the user open to embedded E-Mail using OX App Suites \"View\" feature \n \nProof of concept: \n<img src=x onerror=alert(document.domain)> \n \n \nSolution: \nWe now use existing filtering mechanisms when processing embedded or attached E-Mail. \n \n \n--- \n \n \nAffected product: OX App Suite \nInternal reference: 62465 (Bug ID) \nVulnerability type: Information Exposure (CWE-200) \nVulnerable version: 7.6.3 and later \nVulnerable component: driverestricted, backend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version (driverestricted): 7.6.3-rev4, 7.8.3-rev8, 7.8.4-rev6, 7.10.0-rev5, 7.10.1-rev4 \nFixed version (backend): 7.6.3-rev46, 7.8.3-rev56, 7.8.4-rev52, 7.10.0-rev31, 7.10.1-rev12 \nVendor notification: 2019-01-14 \nSolution date: 2019-05-13 \nPublic disclosure: 2019-08-15 \nCVE reference: CVE-2019-11806 \nCVSS: 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \nVulnerability Details: \nBundles that contain private keys and passwords for OX Drive related push services were deployed without proper file-system permissions. We also fixed default file-system permissions for related configuration files that potentially contain passwords set by the operator. \n \nRisk: \nA user with non privileged system-level access could access and extract the bundles (JAR files) and analyze their byte-code. From that its possible to extract both the private key for APN certificates as well as their encryption password and GCM key/secret pairs. Extracting this does not open a specific attack vector but we consider the information confidential and our handling did not adhere to our standards with that kind of information. \n \nSteps to reproduce: \n1. Use a non privileged user account to access an OX App Suite Middleware machine \n2. Check file permissions for \"driverestricted\" bundles that contain secret keys and passwords \n \nSolution: \nWe updated file-system level permissions for such bundles and configuration files. \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/154128/oxappsuite-spoofxss.txt"}]}