Open-Xchange App Suite / Documents Server-Side Request Forgery

`Product: OX App Suite / OX Documents  
Vendor: OX Software GmbH  
  
Internal reference: 67871, 68258 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19  
Vendor notification: 2019-10-31  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
CVE reference: CVE-2019-18846  
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)  
  
Vulnerability Details:  
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. This reference was not checked against a sufficient protocol and host blacklist.  
  
Risk:  
Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as attachment.  
  
Steps to reproduce:  
1. Create a task  
2. Use the /ajax/attachment?action=attach API call and provide a URL  
"datasource": {  
"identifier": "com.openexchange.url.mail.attachment",  
"url": "file:///var/file"  
}  
  
Solution:  
We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.  
  
  
  
---  
  
  
  
Internal reference: 67874 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19  
Vendor notification: 2019-10-31  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
Researcher Credits: chbi  
CVE reference: CVE-2019-18846  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
Vulnerability Details:  
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.  
  
Risk:  
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.  
  
Steps to reproduce:  
1. Create a RSS feed  
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed  
3. Monitor the response code  
  
Solution:  
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout.  
  
  
  
---  
  
  
  
Internal reference: 67931, 68258 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19  
Vendor notification: 2019-11-04  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
CVE reference: CVE-2019-18846  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
Vulnerability Details:  
The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and host blacklist.  
  
Risk:  
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology, services and files.  
  
Steps to reproduce:  
1. Create a snippet with HTML content  
2. Include a reference to an internal host/service  
<img src="http://localhost:22/badboy">  
3. Monitor the response code  
  
Solution:  
We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.  
  
  
  
---  
  
  
  
Internal reference: 67980 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19  
Vendor notification: 2019-11-05  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
CVE reference: CVE-2019-18846  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
Vulnerability Details:  
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.  
  
Risk:  
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.  
  
Steps to reproduce:  
1. Create a mail account  
2. Use 127.0.0.1:143 as IMAP server  
3. Monitor the network socket  
  
Solution:  
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network layout.  
  
  
  
---  
  
  
  
Internal reference: 67983 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.2  
Vulnerable component: office  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.2-rev4  
Vendor notification: 2019-11-05  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
Researcher Credits: chbi  
CVE reference: CVE-2019-18846  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
Vulnerability Details:  
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, this allows to make the server-side request arbitrary image resources.  
  
Risk:  
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.  
  
Steps to reproduce:  
1. Create a OX Documents document  
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg  
3. Monitor the response code  
  
Solution:  
We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you network layout.  
  
  
  
---  
  
  
  
Internal reference: 68252 (Bug ID)  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.2 and earlier  
Vulnerable component: readerengine  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6  
Vendor notification: 2019-11-15  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
CVE reference: CVE-2019-18846  
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)  
  
Vulnerability Details:  
Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked against a blacklist.  
  
Risk:  
Local resources like images or websites could be invoked by end-users and expose their content through the generated image.  
  
Steps to reproduce:  
1. Create a document and use a image "from URL"  
2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local resource  
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng  
  
Solution:  
We now reject redirects and check provided URLs against blacklists and protocol whitelists.  
  
  
  
---  
  
  
  
Internal reference: 68136 (Bug ID)  
Vulnerability type: Missing escaping (CWE-116)  
Vulnerable version: 7.10.2 and earlier  
Vulnerable component: readerengine  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3  
Vendor notification: 2019-11-11  
Solution date: 2019-12-09  
Public disclosure: 2020-02-19  
CVE reference: CVE-2019-9853 (LibreOffice)  
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)  
  
Vulnerability Details:  
We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential vulnerabilities which are not directly related to readerengine.  
  
Risk:  
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an update based on precaution.  
  
Steps to reproduce:  
1. n/a  
  
Solution:  
n/a  
  
`