Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Open-Xchange Security Advisory 2019-04-01

Related Vulnerabilities: CVE-2019-7159   CVE-2019-7158  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="1"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#2">By Date</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#2">By Thread</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Open-Xchange Security Advisory 2019-04-01</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Open-Xchange GmbH via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Mon, 1 Apr 2019 10:13:07 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH


Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 61771 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.10.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed Version: 7.6.3-rev44, 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7
Vendor notification: 2018-11-23
Solution date: 2019-02-13
Public disclosure: 2019-04-01
CVE reference: CVE-2019-7159
CVSS: 4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The "oxsysreport" tool failed to sanitized custom configuration parameters that could contain credentials like API keys.

Risk:
Unintended configuration information has been collected and potentially sent to OX for further analysis. This 
transmission would happen through secure channels and to authorized personell. We have no indication that data was used 
illegitimately.

Steps to reproduce:
1. Have configuration properties that don't match the expected format (e.g. commented out, custom key format)
2. Run oxsysreport and check what parameters have been sanitized

Solution:
We made sure to remove all incorrectly collected information and removed backups thereof. To solve the root cause, the 
oxsysreport tool has been updated to deal with other patterns of properties.


---


Internal reference: 61315 (Bug ID)
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 7.10.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed Version: 7.8.3-rev53, 7.8.4-rev51, 7.10.0-rev25, 7.10.1-rev7
Vendor notification: 2018-11-06
Solution date: 2019-02-13
Public disclosure: 2019-04-01
CVE reference: CVE-2019-7158
CVSS: 4.2 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
In case users did chose not to "stay signed in" or the operator disabled that functionality, cookies are maintained for 
a "session" lifetime to make sure they expire after the browser session has ended. Using "reload" on the existing 
browser session led to the impression that the session is already terminated as the login screen would be shown 
afterwards. However, those cookies are maintained by the browser for the remainder of the session until termination of 
the browser tab or window.

Risk:
Users could get the incorrect impression that their session has been terminated after reloading the browser window. In 
fact, the credentials for authentication (cookies) were maintained and other users with physical access to the browser 
could re-use them to execute API calls and access other users data.

Steps to reproduce:
1. Login with "Stay signed in" disabled
2. Reload the browser
3. Check which cookies are maintained while the "login" page is displayed

Solution:
We now drop the session associated with existent secret cookie on server-side in case a new login is performed and thus 
a new secret cookie is about to be written.

</pre><p><strong>Attachment:
<a href="att-2/signature_asc.bin"><tt>signature.asc</tt></a></strong>

<em>Description:</em> Message signed with OpenPGP</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="1"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#2">By Date</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#2">By Thread</a>
<a href="3"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Open-Xchange Security Advisory 2019-04-01</strong> <em>Open-Xchange GmbH via Fulldisclosure (Apr 04)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started