Open-Xchange Security Advisory 2014-09-15

[Martin Heiland <martin.heiland () open-xchange com>]

Product: OX App Suite
Vendor: Open-Xchange GmbH


Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: frontend
Fixed version: 7.4.2-rev33, 7.6.0-rev16
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-19
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5235
OX bug reference: 33620
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
CDATA encapsulated script code within certain fields of a RSS feeds gets executed by the frontend.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.).

Solution:
RSS feeds now get sanitized more carefully. Users should update to the latest patch releases. Users should avoid 
integrating untrusted or suspicious RSS feeds.



Vulnerability type: Absolute Path Traversal (CWE-36)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5236
OX bug reference: 33834
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Crafted OLE Objects within OpenDocument Text files can be used to reference objects with absolute or relative paths. By 
using further modifications to the documents XML structure, existing security functions of the LibreOffice backend get 
bypassed. As a result, the referenced file gets included from the servers file system.

Risk:
Attackers may read configuration files located at the server where documentconverter is deployed. Since 
documentconverter runs with reduced permissions, this is valid for all files that can be read by the user group 
"open-xchange".

Solution:
A black- and whitelist has been introduced to control file access. Users should update to the latest patch releases.



Vulnerability type: Absolute Path Traversal (CWE-36)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5236
OX bug reference: 33835
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Crafted images within OpenDocument Text files can be used to reference objects with absolute or relative paths. As a 
result, the referenced file gets included from the servers file system.

Risk:
If an attacker knows the correct path to image files at the server where documentconverter is deployed, those can be 
made available to the attacker. Usually no security-related images are stored within deployments. Content of the OX 
Drive storage could be referenced but since the storage is separated to context- and user-bucket specific, hashed 
paths, it's unlikely for an attacker to successfully referencing such files. Including many files may pose a risk of 
denial-of-service attacks, though.

Solution:
A black- and whitelist has been introduced to control file access. Users should update to the latest patch releases.



Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: documentconverter
Fixed version: 7.4.2-rev10, 7.6.0-rev10
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5237
OX bug reference: 33836
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 4.4 (AV:N/AC:L/Au:M/C:P/I:N/A:N/E:F/RL:U/RC:C/CDP:MH/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Text documents allow embedding remote images, based on URLs provided by the document creator. When editing such a 
document within OX Text, the image gets requested by the users client, which is fine. However, when rendering previews 
of such images, the file gets requested by the server, introducing a SSRF attack vector.

Risk:
Malicious documents could be used to fetch lots of images from a specific host, leading to denial-of-service attacks. 
Also, content may get fetched from legally questionable sources, potentially putting the operator of the 
documentconverter into legal trouble.

Solution:
Outbound traffic of a documentconverter deployment should be controlled on a network level, if an operator does not 
wish to let users include external resources and use them when generating document previews. Users should update to the 
latest patch releases. A new black- and whitelist has been introduced to control access to remote resources.



Vulnerability type: Improper Restriction of Recursive Entity References in DTDs (CWE-776)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: office
Fixed version: 7.4.2-rev11, 7.6.0-rev9
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5238
OX bug reference: 33838
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Since OpenDocument Text documents are XML files, external entities may get included to these files. The XML parser 
tries to resolve these external entities by expanding them (XEE), for example including files or running specific XML 
parser functions. There are several attack vectors, for example including local files from the OX Text deployment or 
creating malicious documents that use exponential entity expansion (XEEE). Such exponential entities can be used to 
create huge documents based on very few lines of XML code.

Risk:
By using an XEE attack, introducing the XML "SYSTEM" entity and absolute or relative paths, the referenced file gets 
included from the servers file system. As a result, the whole file is visible at the OX Text editor. XEEE attacks can 
be used to run denial-of-service attacks to the deployment by creating vastly complex XML files that take a lot of time 
to process.

Solution:
DOCTYPE within ODT files is now forbidden and therefor external or special entities cannot get included anymore. Users 
should update to the latest patch releases.



Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.0 and earlier
Vulnerable component: backend
Fixed version: 7.4.2-rev33, 7.6.0-rev16
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2014-07-31
Solution date: 2014-08-26
Public disclosure: 2013-09-15
CVE reference: CVE-2014-5234
OX bug reference: 33839
Credits: Patrick Hof, Till Maas and Benjamin Grap of RedTeam Pentesting
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Arbitrary script code can be used as folder publication name, leading to code execution at clients that display such 
publications.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (sending mail, deleting data etc.).

Solution:
Publications now get sanitized more carefully. Users should update to the latest patch releases.