Vulnerability Details:
Publications allow sharing files with external data consumers. Access to those is secured with a random hash and publications allow access to the shared directory or file only. However, since the folder identifier has not been properly taken into consideration when calculating permissions, a user that obtained access to the publication is able to access other files which are not intentionally published by the owner.
Risk:
External users that have valid access to a publication may access files that are not intended to be shared with them.
Solution:
Users should update to the latest patch releases 7.4.2-rev42, 7.6.0-rev36 and 7.6.1-rev14 (or later).
{"id": "SECURITYVULNS:DOC:31716", "bulletinFamily": "software", "title": "Open-Xchange Security Advisory 2015-02-12", "description": "\r\n\r\nProduct: Open-Xchange Server 6 / OX AppSuite\r\nVendor: Open-Xchange GmbH\r\n\r\nInternal reference: 35889 (Bug ID)\r\nVulnerability type: Information Exposure (CWE-200)\r\nVulnerable version: 7.6.1 and earlier\r\nVulnerable component: backend\r\nReport confidence: Confirmed\r\nSolution status: Fixed by Vendor\r\nFixed version: 7.4.2-rev42, 7.6.0-rev36, 7.6.1-rev14\r\nVendor notification: 2014-12-17\r\nSolution date: 2015-01-13\r\nCVE reference: CVE-2014-9466\r\nCVSSv2: 6.0 (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:ND/AR:ND)\r\n\r\nVulnerability Details:\r\nPublications allow sharing files with external data consumers. Access to those is secured with a random hash and publications allow access to the shared directory or file only. However, since the folder identifier has not been properly taken into consideration when calculating permissions, a user that obtained access to the publication is able to access other files which are not intentionally published by the owner.\r\n\r\nRisk:\r\nExternal users that have valid access to a publication may access files that are not intended to be shared with them.\r\n\r\nSolution:\r\nUsers should update to the latest patch releases 7.4.2-rev42, 7.6.0-rev36 and 7.6.1-rev14 (or later).\r\n\r\n", "published": "2015-02-16T00:00:00", "modified": "2015-02-16T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31716", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-9466"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:57", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2018-08-31T11:10:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-9466"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806078"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14265"]}], "modified": "2018-08-31T11:10:57", "rev": 2}, "vulnersScore": 5.5}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T06:14:36", "description": "Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14 does not properly handle directory permissions, which allows remote authenticated users to read files via unspecified vectors, related to the \"folder identifier.\"", "edition": 4, "cvss3": {}, "published": "2015-02-17T15:59:00", "title": "CVE-2014-9466", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9466"], "modified": "2018-10-09T19:55:00", "cpe": ["cpe:/a:open-xchange:open-xchange_appsuite:7.4.2", "cpe:/a:open-xchange:open-xchange_appsuite:7.6.1", "cpe:/a:open-xchange:open-xchange_appsuite:7.6.0"], "id": "CVE-2014-9466", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9466", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-07-17T14:27:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9466"], "description": "The host is installed with\n Open-Xchange (OX) AppSuite and is prone to information disclosure\n vulnerability.", "modified": "2019-07-05T00:00:00", "published": "2015-10-07T00:00:00", "id": "OPENVAS:1361412562310806078", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806078", "type": "openvas", "title": "Open-Xchange (OX) AppSuite Access Control Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Open-Xchange (OX) AppSuite Access Control Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:open-xchange:open-xchange_appsuite\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806078\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2014-9466\");\n script_bugtraq_id(72587);\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-10-07 10:56:08 +0530 (Wed, 07 Oct 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Open-Xchange (OX) AppSuite Access Control Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with\n Open-Xchange (OX) AppSuite and is prone to information disclosure\n vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to improper handling of\n directory permissions which allows reading files via unspecified vectors,\n related to the 'folder identifier'.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n authenticated users to access certain files on the target system that are not\n intended to be shared with them.\");\n\n script_tag(name:\"affected\", value:\"Open-Xchange (OX) AppSuite versions before\n 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Open-Xchange (OX) AppSuite\n version 7.4.2-rev42 or 7.6.0-rev36 or 7.6.1-rev14 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1031744\");\n script_xref(name:\"URL\", value:\"https://packetstormsecurity.com/files/130379\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ox_app_suite_detect.nasl\");\n script_mandatory_keys(\"open_xchange_appsuite/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!oxPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\noxVer = get_app_version(cpe:CPE, port:oxPort);\nif(!oxVer || \"unknown\" >< oxVer){\n exit(0);\n}\n\noxRev = get_kb_item(\"open_xchange_appsuite/\" + oxPort + \"/revision\");\n\nif(oxRev){\n\n ## Updating version with revision number\n oxVer = oxVer + \".\" + oxRev;\n\n if(version_is_less(version:oxVer, test_version:\"7.4.2.42\"))\n {\n fix = \"7.4.2-rev42\";\n VULN = TRUE;\n }\n\n if(version_in_range(version:oxVer, test_version:\"7.6.0\", test_version2:\"7.6.0.35\"))\n {\n fix = \"7.6.0-rev36\";\n VULN = TRUE;\n }\n\n if(version_in_range(version:oxVer, test_version:\"7.6.1\", test_version2:\"7.6.1.13\"))\n {\n fix = \"7.6.1-rev14\";\n VULN = TRUE;\n }\n\n if(VULN)\n {\n report = 'Installed Version: ' + oxVer + '\\nFixed Version: ' + fix + '\\n';\n security_message(port:oxPort, data:report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2014-9466"], "description": "It's possible to bypass file sharing restrictions.", "edition": 1, "modified": "2015-02-16T00:00:00", "published": "2015-02-16T00:00:00", "id": "SECURITYVULNS:VULN:14265", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14265", "title": "Open-Xchange restrictions bypass", "type": "securityvulns", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}]}
