Open-Xchange OX App Suite Cross Site Scripting / SSRF

`Product: OX App Suite  
Vendor: OX Software GmbH  
  
Internal reference: 59653 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.0  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.0-rev13  
Vendor notification: 2018-07-31  
Solution date: 2018-08-21  
Public disclosure: 2019-01-18  
Researcher Credits: Gamal negm eldin  
CVE reference: CVE-2018-13104  
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
Attachment file names in mail can be used to inject script code, in case the victim uses "mouse over" on the attachment.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a malicious multipart HTML E-Mail  
2. Make the recipient to expand the "attachments" area and mouse-over the attachment  
  
Proof of concept:  
------=_Part_361_1510656222.1533025735063  
Content-Type: image/svg+xml; name="<u onmouseover=alert(1)>w"  
Content-Transfer-Encoding: base64  
Content-Disposition: attachment; filename="<u onmouseover=alert(1)>w"  
  
  
Solution:  
We made sure to use the actual text node as label to avoid injecting DOM nodes.  
  
  
---  
  
  
Internal reference: 59507 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.0 and earlier  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.0-rev13, 7.8.4-rev40, 7.8.3-rev44, 7.6.3-rev34  
Vendor notification: 2018-07-25  
Solution date: 2018-08-16  
Public disclosure: 2019-01-18  
Researcher Credits: Zhihua Yao (chihuahua)  
CVE reference: CVE-2018-13104  
CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
File names of attachments of PIM objects (appointments, contacts, tasks) can be used to inject script code. Sharing such objects with other users allows to attack them. This requires both a trust relationship between those users - or both have to be provisioned to the same context.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a PIM object, like an appointment  
2. Upload a attachment with malicious file name  
3. Make the victim open the object in detail view  
  
Proof of concept:  
"><img src=x onerror=alert(document.domain)>.jpg  
  
Solution:  
We transformed file names to text nodes before adding them to DOM.  
  
  
---  
  
  
Internal reference: 58742 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41  
Vendor notification: 2018-05-24  
Solution date: 2018-08-21  
Public disclosure: 2019-01-18  
Researcher Credits: Secator  
CVE reference: CVE-2018-13104  
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Specific URL parameters can be used to circumvent handling of potentially malicious files. Usually we force the user agent to download such files instead of eventually opening them.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a malicious HTML file and upload it to Drive  
2. Modify the file type to "application/xml" or "application/xhtml+xml" to trigger UA content guessing  
3. Create a link to download that file and use the content_disposition=inline parameter  
4. Share the link with some other user of the system, or a guest and make them open it  
  
Proof of concept:  
https://example.com/appsuite/api/files/html-xml?action=document&folder=10&id=10%2F348&content_disposition=inline  
  
Solution:  
We now prefer server-side content-disposition defaults over client-side parameters when dealing with attachments.  
  
  
---  
  
  
Internal reference: 56457 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.8.4 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev39, 7.8.3-rev50, 7.6.3-rev41  
Vendor notification: 2017-12-11  
Solution date: 2018-08-21  
Public disclosure: 2019-01-18  
Researcher Credits: stemcloud  
CVE reference: CVE-2018-13103  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
Data with references to external content, like images of a contact imported as vcard, can be used to force redirects to local, restricted or internal network addresses.  
  
Risk:  
This can be used to perform port scanning to prepare future attacks and gain information about the target system.  
  
Steps to reproduce:  
1. Create a malicious vcard file, including a remote location for the "PHOTO" attribute  
2. Configure the provided host in a way that it responds with HTTP 30X redirects to internal hosts  
3. Upload the vcard file to the App Suite system, monitor the runtime and response code  
  
Proof of concept:  
PHOTO;VALUE=URI;TYPE=GIF:http://testserver65.com:70/test.jpeg  
  
Solution:  
We no longer follow HTTP redirects pointing to local or network-internal locations.  
  
  
---  
  
  
Internal reference: 56558 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.6.3 and 7.8.3  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.3-rev50, 7.6.3-rev41  
Vendor notification: 2017-12-19  
Solution date: 2018-08-21  
Public disclosure: 2019-01-18  
Researcher Credits: stemcloud  
CVE reference: CVE-2018-13103  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
IP black-lists can be circumvented by using non-decimal representation of IP addresses.  
  
Risk:  
This can be used to perform port scanning, host discovery and content retrieval to prepare future attacks and gain information about the target system.  
  
Steps to reproduce:  
1. Create content with external references, for example a RSS feed  
2. Use octal or hexadecimal representation of IP addresses (8, 16, 24 or 32bit)  
  
Proof of concept:  
Octal:  
http://017700000001/foo.xml  
  
Hex:  
http://0x7f000001/foo.xml  
  
Decimal:  
http://2130706433/foo.xml  
  
Solution:  
We now properly detect octal and hexadecimal IP address representations  
  
  
---  
  
  
Internal reference: 56406 (Bug ID)  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.8.4  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev40  
Vendor notification: 2017-12-06  
Solution date: 2018-08-21  
Public disclosure: 2019-01-18  
Researcher Credits: Secator  
CVE reference: CVE-2018-13104  
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
Content of mails added to Portal are being executed as script code. This way malicious code within mails can get stored persistently.  
  
Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).  
  
Steps to reproduce:  
1. Create a E-Mail with malicious script code  
2. Make a user add this E-Mail to the Portal  
  
Proof of concept:  
<!DOCTYPE html>  
<html>  
<head>  
<meta charset="UTF-8">  
</head>  
<body>  
<p style="" class="default-style"><img src="x" onerror="alert(document.cookie);"></p>  
</body>  
</html>  
  
Solution:  
We adjusted "unescaping" of mail content at the frontend side.  
  
`