Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

Multiple security issues for Open-Xchange Server 6 and OX AppSuite

$
0
0

Open-Xchange Security Advisory (multiple vulnerabilities)


Multiple security issues for Open-Xchange Server 6 and OX AppSuite have been discovered and fixed. The vendor has
chosen a responsible full disclosure method to publish security issue details. Users of the software have already been
provided with patched versions. German law prohibits to provide code that may be used by attackers, therefor no PoC or
working code is available within this advisory.

Proof regarding the authenticity of these issues can be obtained from the published release notes:
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1381-2013-04-04.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1378-2013-04-04.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1379-2013-04-04.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1376_2013-04-04.pdf
http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Public_Patch_Release_1377-2013-04-04.pdf

Product: Open-Xchange Server 6, OX AppSuite
Vendor: Open-Xchange GmbH

***********************

Internal reference: 25140
Vulnerability type: HTTP Header Injection
Vulnerable versions: 6.22.0-rev1 to 7.0.2-rev6
Vulnerable component: backend
Fixed version: 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution status: Fixed by Vendor
Vendor notification: 2013-03-04
Solution date: 2013-04-04
Public disclosure: 2013-04-17
CVE reference: CVE-2013-2582
CVSSv2: 6.2 (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The redirect servlet of the application uses the location variable, that specifies which URL a user gets redirected to.
The application performs various replacements to protect a user against HTTP Header Injection. However, these
replacements can be used by an attacker to create a situation where the replace-procedure creates a redirection string.
When passing an encoded URL to the location parameter of the "redirect" servlet, null-characters (like “%0d”) are
replace by a empty string (“”) and effectively creates the sequence (“//”) which is interpreted by the browser as
http://”

Risk:
Users may be tricked to visit a malicious website embedded to a trustworthy URL.


Solution:
The URL passed through the "location" parameter of the "redirect" servlet gets checked more carefully and always
generates a relative URL.
Users should update to the latest patch releases 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25321
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The infostore module allows storing and sharing items that contain URLs. These URL can be used to execute JS code when
clicking the "URL" since "javascript:" is allowed as protocol.

Risk:
Shared infostore items may contain malicious code that may be executed by other users. An attacker can access several
authentication information.


Solution:
"javascript:" is not longer allowed as protocol prefix when creating infostore URL links.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25341
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
HTML files that got uploaded to the infostore may contain carefully crafted script code that exploits existing security
checks to generate new malicious code.
Non-working example: <scr<script><!--</script><script>-src=<malicious code></script/>

Risk:
Malicious HTML files with embedded JS can be shared to other users to obtain authentication information or execute
operations within the context of the victim.


Solution:
Repetitive application of sanitizing steps is performed to filter all malicious code and avoid code forging.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25342
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
HTML content can be stored as mail signature. That content may contain carefully crafted script code that exploits
existing security checks to generate new malicious code.

Risk:
Malicious JS code can be embedded to a users signature to obtain authentication information or execute operations
within the context of the victim.


Solution:
Repetitive application of sanitizing steps is performed to filter all malicious code and avoid code forging.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************

Internal reference: 25343
Vulnerability Type: Cross Site Scripting
Vulnerable Versions: 7.0.2-rev6 and earlier
Vulnerable component: backend
Fixed Version: 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7
Solution Status: Fixed by Vendor
Vendor Notification: 2013-03-04
Solution date: 2013-04-04
Public Disclosure: 2013-04-17
CVE Reference: CVE-2013-2583
CVSSv2: 5.2 (AV:N/AC:M/Au:S/C:N/I:P/A:N/E:P/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Using a forged image file of a specific size can be used to execute script code. To prevent malicious usage, a
magic-byte and content check is performed for the first 2048 Bytes of an image. If the malicious code is appended to
the image or beyond the first 2048 Bytes, it's executed when calling it via a crafted URL.

Risk:
Malicious JS code can be embedded to a contact image to obtain authentication information or execute operations within
the context of the victim. Contacts with malicious image content can be shared to other users.


Solution:
The whole image file is checked more carefully for malicious code and valid image data before accepting the upload.
Users should update to the latest patch releases 6.20.7-rev16, 6.22.0-rev15, 6.22.1-rev17, 7.0.1-rev6, 7.0.2-rev7.

***********************





//The information contained within this publication is





//supplied "as-is"with no warranties or guarantees of fitness





//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts





//responsibility for any damage caused by the use or misuse of





//this information



Viewing all articles
Browse latest Browse all 8064

Trending Articles