OX App Suite versions 7.6.0 and below suffer from a remote SQL injection vulnerability.
Product: OX App Suite Vendor: Open-Xchange GmbH Internal reference: 34765 (Bug ID) Vulnerability type: SQL Injection (CWE-89) Vulnerable version: 7.6.0 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Researcher credits: SoftScheck GmbH Fixed version: 7.4.2-rev36, 7.6.0-rev23 Vendor notification: 2013-10-06 Solution date: 2014-10-08 Public disclosure: 2014-11-07 CVE reference: CVE-2014-7871 CVSSv2: 7.6 (AV:N/AC:M/Au:S/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: A SQL injection vulnerability has been identified at the "jslob" API call. Abusing the MySQL "ExtractValue" function allows execution of arbitrary SQL code by passing it through MySQLs XPath interpreter. 30 characters of the injected SQL queryies result are returned as an error message by the parser when failing to evaluate XPath. This issue affects MySQL 5.1 and later. Risk: Confidential data may get exposed to authenticated users (attackers). OX AppSuite user passwords are stored hashed and salted either using SHA1 or bcrypt, making it hard to gather plain-text passwords. However, other information like server configuration data, configuration files and database content could be extracted using this vulnerability. Even though the amount of returned data is limited to 30 characters for each request, this vulnerability can be used to subsequently gather more information by using scripts. Steps to reproduce: Forge a PUT request to the jslob api and escape the JSON structure, inject invalid XPath syntax and a piggy-back SQL query to the MySQL XPath interpreter. Bound to german law, we're not allowed to disclose exploit code that could be used to attack in-production systems. Possible solutions: Update to the latest available version of OX AppSuite/OX6 backend. Configure a web application firewall to mitigate such requests. # 0day.today [2016-04-20] #