SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Open-Xchange Vendors:   Open-Xchange Inc.
Open-Xchange XHTML File Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1031488
SecurityTracker URL:  http://securitytracker.com/id/1031488
CVE Reference:   CVE-2014-8993   (Links to External Site)
Date:  Jan 5 2015
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.6.1 and prior
Description:   A vulnerability was reported in Open-Xchange. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted file that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Open-Xchange software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Files with the 'application/xhtml+xml' mime-type and with a valid XHTML doctype can trigger this flaw.

The vendor was notified on November 18, 2014.

John de Kroon of Voiceworks B.V. reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Open-Xchange software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (7.4.2-rev40, 7.6.0-rev32, 7.6.1-rev11) [in December 2014].

The vendor's advisories are available at:

https://forum.open-xchange.com/showthread.php?9149-Open-Xchange-releases-Security-Public-Patch-2014-12-01-for-OX-App-Suite-and-OX-6-Back

https://forum.open-xchange.com/showthread.php?9151-Open-Xchange-releases-Security-Public-Patch-2014-12-01-for-OX-App-Suite-and-OX-6-Back

https://forum.open-xchange.com/showthread.php?9153-Open-Xchange-releases-Security-Public-Patch-2014-12-01-for-OX-App-Suite-OX-6-Backend

Vendor URL:  www.open-xchange.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Open-Xchange Security Advisory 2015-01-05

Product: Open-Xchange Server 6 / OX AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 35512 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.4.2-rev40, 7.6.0-rev32, 7.6.1-rev11
Researcher credits: John de Kroon of Voiceworks B.V.
Vendor notification: 2014-11-18
Solution date: 2014-12-03
CVE reference: CVE-2014-8993
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
When embedding script code within a file that gets identified by the "application/xhtml+xml" mime-type and provides a valid XHTML doctype, the existing sanitizer does not get triggered and therefor does not remove potentially harmful script code. Since browsers detect the doctype information, the script code gets executed. The issue may be used to execute a stored cross-site scripting attack.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Potential attack vectors are E-Mail (via attachments) or Drive.

Solution:
Users should update to the latest patch releases 7.4.2-rev40, 7.6.0-rev32 and 7.6.1-rev11 (or later).
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC