what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open-Xchange App Suite / Documents Server-Side Request Forgery

Open-Xchange App Suite / Documents Server-Side Request Forgery
Posted Feb 21, 2020
Authored by Martin Heiland

Open-Xchange App Suite and Documents versions 7.10.2 and below suffer from multiple server-side request forgery vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2019-18846, CVE-2019-9853
SHA-256 | 9e95ed9b8b18b7aa67aa539e677d18a46c58d0f74c70f908ef7a336569ff51e9

Open-Xchange App Suite / Documents Server-Side Request Forgery

Change Mirror Download
Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as attachment.

Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
"datasource": {
"identifier": "com.openexchange.url.mail.attachment",
"url": "file:///var/file"
}

Solution:
We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout.



---



Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology, services and files.

Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service
<img src="http://localhost:22/badboy">
3. Monitor the response code

Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network layout.



---



Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, this allows to make the server-side request arbitrary image resources.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg
3. Monitor the response code

Solution:
We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you network layout.



---



Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked against a blacklist.

Risk:
Local resources like images or websites could be invoked by end-users and expose their content through the generated image.

Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local resource
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng

Solution:
We now reject redirects and check provided URLs against blacklists and protocol whitelists.



---



Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential vulnerabilities which are not directly related to readerengine.

Risk:
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an update based on precaution.

Steps to reproduce:
1. n/a

Solution:
n/a

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close