OXAS-ADV-2023-0001: OX App Suite Security Advisory

[Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>]

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Internal reference: OXUIB-2130
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev23
First fixed revision: OX App Suite frontend 7.10.6-rev24
Discovery date: 2023-01-03
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24597
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:
Remote resources are loaded in print view. When E-Mail is flagged as Spam or if a user has enabled the feature as a 
default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a 
E-Mail, external content was loaded automatically without user consent.

Risk:
Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour. No publicly 
available exploits are known.

Solution:
We now apply the same setting for loading external content when generating the E-Mail print content.



---



Internal reference: OXUIB-2034
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev23
First fixed revision: OX App Suite frontend 7.10.6-rev24
Discovery date: 2022-11-02
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24601
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:
XSS with non-app deeplinks like "registry". The "registry" sub-tree of the jslob API is used to define which 
application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including 
malicious code.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users 
account or lure a user to a compromised account. No publicly available exploits are known.

Solution:
We made the relevant jslob path read-only for users.




---



Internal reference: OXUIB-2033
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev23
First fixed revision: OX App Suite frontend 7.10.6-rev24
Discovery date: 2022-02-11
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24602
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:
XSS at Tumblr portal widget due to missing content sanitization. External content, like post titles, have been 
evaluated as HTML when adding Tumblr feeds to the portal page.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering 
unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users 
account, compromise a Tumblr feed or make the victim include a malicious feed. No publicly available exploits are known.

Solution:
We now insert untrusted external content as plain-text.



---



Internal reference: MWB-1998
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-10
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24600
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Details:
"Read own/delete all" permissions allows moving other users contacts to own address book. Folder ACL combinations like 
"read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected 
to read.

Risk:
Moving objects to folders with read access effectively bypassed the "read own" restriction. No publicly available 
exploits are known.

Solution:
Permission checks have been updated and include checking for read permissions when performing move operations.



---



Internal reference: MWB-1997
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-10
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24605
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Details:
API access not fully restricted when requiring 2FA. When using the built-in multi-factor authentication, access to a 
number of API endpoints was possible prior to successful authentication using the second factor.

Risk:
Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well 
as modifying names of the multi-factor tokens. No publicly available exploits are known.

Solution:
We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.



---



Internal reference: MWB-1995
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-09
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24598
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Details:
Distribution lists allow discovering private contacts of other users. Editing distribution lists allows to add contacts 
from foreign accounts, where the attacker has no read access.

Risk:
Attackers within the same context can discover fragments of contact information from folders without read access, 
including other users personal contact folders. No publicly available exploits are known.

Solution:
We improved permission checks when editing distribution lists to restrict access.



---



Internal reference: MWB-1983
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-03
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24604
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
Header length does not get limited for external content. HTTP client requests initiated by App Suite middleware were 
not validating the lenght of HTTP headers.

Risk:
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could 
temporarily lock up processing those headers. No publicly available exploits are known.

Solution:
We introduced a limitation for HTTP header length and reject processing if a threshold is hit.



---



Internal reference: MWB-1981
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-03
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24603
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
Size limits for external content are not considered for data transfer. HTTP client requests initiated by App Suite 
middleware were not stopping downloads for resources that exceed size limits.

Risk:
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it would be fully 
downloaded before applying size checks. While this could not be used to lock up the system, its a plausible 
amplification vector for denial of service attacks to other services. No publicly available exploits are known.

Solution:
We improved the limitation for content length and immediately stop downloading if a threshold is hit.



---



Internal reference: MWB-1978
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-01
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24599
CVSS: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)

Details:
Users can change arbitrary appointments by ID confusion. Appointments of other users could be changed without the 
appropriate autorization by sending conflicting object IDs within the same request.

Risk:
Attackers within the same context can modify fragments of appointment information from folders without read access, 
including other users personal calendar folders. No publicly available exploits are known.

Solution:
We improved permission checks when updating appointments to restrict access.

Attachment: signature.asc
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/