Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Open-Xchange Security Advisory 2019-08-15

Related Vulnerabilities: CVE-2018-9997   CVE-2019-11521  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#10">By Date</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#10">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Open-Xchange Security Advisory 2019-08-15</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Open-Xchange GmbH via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Thu, 15 Aug 2019 10:03:40 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Product: OX Guard
Vendor: OX Software GmbH

Internal reference: 65132 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev48, 7.8.4-rev59, 7.10.0-rev32, 7.10.1-rev14, 7.10.2-rev5
Vendor notification: 2019-05-09
Solution date: 2019-06-13
Public disclosure: 2019-08-15
CVE reference: CVE-2018-9997
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Curly brackets can be used to bypass XSS sanitization in HTML mail and other HTML attachments. A variation of the 
original issue has been found thats based on incorrect global eventhandler blacklist entries.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.).

Steps to reproduce:
1. Create a HTML mail with curly brackets that disguise event handlers in CSS
2. Make a App Suite user open the malicious mail

Proof of concept:
&lt;div style=width:100%;height:10px;font:\"'/{/onMouseLeave=alert(1)//&gt;&lt;/div&gt;

Solution:
We updated the list of blacklisted event handlers to close this bypass, operators may add a workaround by updating 
"globaleventhandlers.list" and change the incorrect handler "onmounseleave" to "onmouseleave".


--


Internal reference: 64992 (Bug ID)
Vulnerability type: Data validation fault (CWE-34)
Vulnerable version: 7.10.1 and earlier, 2.10.2 and earlier
Vulnerable component: guard, backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version (guard): 2.8.0-rev22, 2.10.1-rev7
Fixed version (backend): 7.8.4-rev59, 7.10.1-rev14
Vendor notification: 2019-05-03
Solution date: 2019-06-13
Public disclosure: 2019-08-15
Researcher Credits: Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, 
and Jörg Schwenk
CVE reference: CVE-2019-11521
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Vulnerability Details:
Internal evaluation revealed that OX Guard is vulnerable to a subset of techniques used to display a valid signature 
from the identity of a trusted communication partner located in the mail header, although the crafted email is actually 
signed by an attacker. Our discoveries are based on work of a team of researchers, publishing these spoofing techniques 
under the "Johnny You Are Fired" project name.

Risk:
Recipients of signed PGP mail could be fooled to assume the mail originates from a trusted source rather than an 
attacker. This would elevate the mails trust level and potentially ease social-engineering attacks.

Steps to reproduce:
1. Create mails that contain valid signatures but originate from a different source

Proof of concept:
<a rel="nofollow" href="https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id">https://github.com/RUB-NDS/Johnny-You-Are-Fired/tree/master/04-id</a>

Solution:
We improved validation and make sure mail with valid signatures is only evaluated to be "trusted" if the sender matches 
the signature issuer. We also extended our API to provide more information about a specific signature to let clients 
add checks and handle invalid signature information.

</pre><p><strong>Attachment:
<a href="att-10/signature_asc.bin"><tt>signature.asc</tt></a></strong>

<em>Description:</em> Message signed with OpenPGP</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#10">By Date</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="9"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#10">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><a name="9" href="9">Open-Xchange Security Advisory 2019-08-15</a> <em>Open-Xchange GmbH via Fulldisclosure (Aug 16)</em>
<ul>
<li>&lt;Possible follow-ups&gt;</li>
<li><strong>Open-Xchange Security Advisory 2019-08-15</strong> <em>Open-Xchange GmbH via Fulldisclosure (Aug 16)</em>
</li>
 </ul>
</li>
</ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started