Open-Xchange: RTLO character in file names

2017-03-03T12:24:59
ID H1:210354
Type hackerone
Reporter inhibitor181
Modified 2017-09-28T07:19:38

Description

DESCRIPTION

Hello, I have noticed that you allow the RTLO (Right-To-Left-Override) character is not filtered from the names of the files saved to drive, or in the attachement names, thus allowing 2 things : 1. Someone sends a malicious file (html or exe or something esle) via email that contains a strategically placed RTLO in the filename, making the filename be rendered like Testlmth.txt that is actually a html file or Testexe.txt that is an actual .exe file. Then, the OX user downloads the file and quickly wants to open it and triggers the html or exe on his machine. 2. An OX user saves a file to drive with a strategically places a RTLO character and then shares it with somebody else, or waits another user to download it and open it.

POC

2 videos attached. The first video contains the steps needed to rename a file using the RTLO character and in the second one, I have sent by email a file that was renamed on my machine using a RTLO character. After that, I have opened the file through the OX frontend.