Ox App Suite 7.8.4 / 7.8.3 XSS / CSRF / Information Disclosure

`Dear subscribers,  
  
we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne.  
  
Yours sincerely,  
Martin Heiland, Open-Xchange GmbH  
  
  
  
Product: OX App Suite  
Vendor: OX Software GmbH  
  
Internal reference: 58880 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and 7.8.3  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev49  
Vendor notification: 2018-06-05  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
Researcher Credits: Secator  
CVE reference: CVE-2018-12611  
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Unexpected "type" parameters of the "content" XML tag can be used to bypass our content sanitizer. In case users added malicious RSS feeds to OX App Suite or a legit RSS feed got taken over, this can be used to inject script-code to a users browser context.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a mailicious RSS feed  
2. Make users subscribe to this feed using OX App Suite  
  
Proof of concept:  
<content></content>  
<content type="tex/html"></content>  
<content type="garbage"></content>  
  
Solution:  
In addition to the existing sanitizers, we added a frontend-level protection to avoid plain-text to be executed as script code.  
  
---  
  
Internal reference: 58874 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev5, 7.8.3-rev7, 7.6.3-rev4  
Vendor notification: 2018-06-05  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
Researcher Credits: Secator  
CVE reference: CVE-2018-12609  
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)  
  
Vulnerability Details:  
Using specific XML tags within Powerpoint presentations can be used to trigger network requests on the server side while converting the document.  
  
Risk:  
Internal network endpoints can be accessed and their default response is being exposed to the attacker. Attackers can use timing attacks and response information to discover valid network services for reconnaissance.  
  
Steps to reproduce:  
1. Create a mailicous PPTX file  
2. Upload this file to OX App Suite  
3. Trigger a document preview on the file  
  
Proof of concept:  
<Relationship  
TargetMode="External"  
Target="http://localhost:8008/documentconverterws?action=convert&url=http://localhost:8008/documentconverterws&targetformat=png"  
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"  
Id="rId3">  
  
  
Solution:  
In addition to blocking file-system level access, we're now blocking all kinds of external references when processing XML when convering documents.  
  
  
---  
  
  
Internal reference: 58282 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39  
Vendor notification: 2017-04-25  
Solution date: 2018-06-25  
Public disclosure: 2018-31-12  
Researcher Credits: Secator  
CVE reference: CVE-2018-12611  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
A API endpoint meant for monitoring purposes can be used to reflect HTTP headers and by that script code. To exploit this, the user needs to follow a hyperlink on a malicious website.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Upload and share a snippet of bare JS code (no tags) to OX App Suite  
2. Create a malicious website that redirects to "TestServlet"  
3. Make the user follow a hyperlink that contains script code as URL parameter  
4. The URL parameters content will be reflected as "referer" header by "TestServlet"  
  
Proof of concept:  
https://www.example.com/referer.html?<script/src=/appsuite/api/files/alert.json?action=document&folder=10&id=10%2F215&delivery=view></script/>  
  
Solution:  
We removed any reflected HTTP headers from TestServlet.  
  
---  
  
Internal reference: 58256 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev49, 7.6.3-rev39  
Vendor notification: 2018-04-24  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
Researcher Credits: Secator  
CVE reference: CVE-2018-12611  
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Font prefix information can bypass our sanitizers and returned as HTML content when using specific combinations of brackets and quotes.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a HTML mail with malicious content like images with font parameters applied through CSS  
2. Make a App Suite user open that mail  
  
Proof of concept:  
<p><img src=x style=font:"'onerror='{font:alert(document.cookie)}></p>  
<p><img src=x style=font:"'onerror=alert(document.cookie),{></p>  
  
Solution:  
We now block font prefix information in case malformed font attributes are detected.  
  
---  
  
Internal reference: 58226 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33  
Vendor notification: 2018-04-20  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
Researcher Credits: Secator  
CVE reference: CVE-2018-12611  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
A URL parameter can be used to inject fake "themes" to user settings. If a users follows such a malicious link, script code is being executed.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a hyperlink containing the "theme" parameter, which refers to a URL containing script code  
2. Make a user follow this link  
  
Proof of concept:  
https://example.com/appsuite/#!!&app=io.ox/files&folder=9&theme=../../../0%22%2Balert(document.cookie)%2B%22  
  
Solution:  
We added frontend sanitization to this kind of parameters as they are not processed by our sanitizers.  
  
--  
  
Internal reference: 58161 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and 7.8.3  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev43  
Vendor notification: 2018-04-16  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
Researcher Credits: Secator  
CVE reference: CVE-2018-12611  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
The "forgot password" link shown at the login page can be modified by using URL parameters. In case users are following forged links, script code can be injected there.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a hyperlink containing the "forgot-password" parameter, which refers to a script code using URI scheme  
2. Make a user follow this link  
  
Proof of concept:  
https://example.com/appsuite/#!!&forgot-password=javascript:alert(1)  
  
Solution:  
We removed usage of this URL parameter so it will not be reflected anymore.  
  
--  
  
Internal reference: 58096 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev43, 7.6.3-rev33  
Vendor notification: 2018-04-11  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
Researcher Credits: Secator  
CVE reference: CVE-2018-12611  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
HTML mails can contain "mailto:" hyperlinks with body parameters that make TinyMCE create E-Mails with HTML elements. These elements can contain script code which is being executed if the user interacts with those elements.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a HTML mail with a hyperlink that points to a mailto: resource and contains script code  
2. Make a user follow this link and then click the injected HTML element  
  
Proof of concept:  
mailto:aaa?body=%3Cselect%20onchange%3D%22alert(document.cookie)%22%3E%3Coption%3E2%3C%2Foption%3E%3Coption%3E2%3C%2Foption%3E%3C%2Fselect%3E  
  
Solution:  
We now sanitize HTML content which gets pasted to the HTML editor through "mailto:" links.  
  
--  
  
Internal reference: 58051 (Bug ID)  
Vulnerability type: Information Exposure (CWE-200)  
Vulnerable version: 7.8.4 and 7.8.3  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev49  
Vendor notification: 2018-04-09  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
CVE reference: CVE-2018-12610  
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
People which get access to (public) sharing links are able to request the share owners E-Mail address, even though its not required to make sharing work.  
  
Risk:  
Semi-confidential information is being exposed unexpectedly to external entities. This can be used to run targetted spam and malware attacks.  
  
Steps to reproduce:  
1. Create a share of files, calendar etc. and forward this link to the public or another person  
2. Open the share link and run a "list" call of the user API and iterate through user IDs  
  
Proof of concept:  
PUT /appsuite/api/user?action=list&columns=1%2C20%2C500%2C501%2C502%2C505%2C524%2C555%2C606%2C614&session=xxx  
[3]  
  
<!DOCTYPE html><html><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><script type="text/javascript">(parent["callback_yell"] || window.opener && window.opener["callback_yell"])({"data":[[6,6,"useruser\"><img>, =8*8","=8*8","useruser\"><img>",null,6,"[email protected]",null,-1,null]],"timestamp":1523086065259})</script></head></html>  
  
Solution:  
We removeed user e-mail addresses when responding to API calls triggered by (anonymous) guests.  
  
--  
  
Internal reference: 58029 (Bug ID)  
Vulnerability type: Information Exposure (CWE-200)  
Vulnerable version: 7.8.4 and 7.8.3  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev34, 7.8.3-rev49  
Vendor notification: 2018-04-06  
Solution date: 2018-06-25  
Public disclosure: 2018-12-31  
CVE reference: CVE-2018-12610  
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
In case sessions to access shares are active they will not be terminated in case the owner of the share modifies the shares pasword or lifetime.  
  
Risk:  
Existing user sessions have access to shares which security level has been upgraded or which are not meant to be accessible by the previous set of users.  
  
Steps to reproduce:  
1. Open or login to a share  
2. As owner of the share, modify the shares password  
3. Use the API to request shared data using the previously authenticated session  
  
Proof of concept:  
https://example.com/appsuite/api/files?action=zipfolder&folder=851&recursive=true&session=xxx  
  
Solution:  
We now terminate all active sessions for guests that have access to a share in case that shares password was modified.  
`