oss-sec mailing list archives
Re: CVE request: several SOGo issues (DOS, XSS, information leakage)
From: cve-assign () mitre org
Date: Sat, 9 Jul 2016 11:27:33 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
SOGo #3510: DOS attack through uploading malicious attachments Fix: http://github.com/inverse-inc/sogo/commit/32bb1456e23a32c7f45079c3985bf732dd0d276d Issue: https://sogo.nu/bugs/view.php?id=3510
1. Create a large file, for example `dd if=/dev/zero of=/tmp/1GB bs=1M count=1000` 2. Open new mail in SOGo, try to attach large file 3. If attachment fails, some memory gets freed, but not all of it 4. Repeat 1-3 until server crashes
The issues was resolved by limiting the upload size ... Further investigation showed that not memcached was the issue but temporary files kept around
Use CVE-2016-6188.
SOGo #3695: Private information leakage through ics/XML feeds when restricted to "View the Date & Time" Fix SOGo v2: https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 Fix SOGo v3: https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d Issue: https://sogo.nu/bugs/view.php?id=3695
1. Not all private information removed for the public free/busy view
I was able to observe following fields containing critical information: - ORGANIZER (who invited the calendar owner?) - X-ALT-DESC (Outlook-specific extended copy of the description?)
Use CVE-2016-6189.
SOGo #3696: Meta information can be derived from UID/DTSTAMP attributes though "View the Date & Time" restricted access Backend Calendar Fix SOGo v2: https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 Fix SOGo v3: https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d Issue: https://sogo.nu/bugs/view.php?id=3696
2. It was possible to join appointments based on the UID of the public free/busy view from different users, to know who has appointments with whom
one can derive common appointments between other people
Use CVE-2016-6190.
SOGo #3718: Persistent Cross-Site Scripting in calendar Issue: https://sogo.nu/bugs/view.php?id=3718 Fix: http://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa
When creating a calendar entry containing script code
Use CVE-2016-6191.
SOGo #2598: Script injection in calendar title Fixes: - https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9 - https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765 - https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501 - https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625 Issue: https://sogo.nu/bugs/view.php?id=2598 The (now public) issue log says I realized the issue also exists with contacts
Add injection code, for example in the "Display" name field
Use CVE-2014-9905 for the XSS issues in both the calendar title and the contacts module. We cannot yet send a CVE ID here for the non-public issue #3670. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXgRd2AAoJEHb/MwWLVhi2A5wP/j6sHW/jtA04EIw4E0KiQRFt wI9QOZ1BdyptWssGcq0r5FV8p1sdVsjiFn607Dj8uVXjf1Txpai7/Z7Dpl3Ssejh LXdABo+TDnCM49n0CKyQUzSF+HfaUoU2HRar+48pB1KqYx+hahE4TVZ+14L9etvg UMJzkeu/cEzS8vh6G9VFp0vEOAhWuhcfKqBVrMjU2hFSCHLJVrvduO05uvMlJ0fJ B5nLcAR6OCiFcqZ+ttHtxOCSZD96bpogBAkxCMsl7rz6iZpwqMdhJrh+8wf5cIfn T2v+5fPRiM0/rm0NCjI8bWd87pI7ZWr+FNbuqwkPeGwHtYpwrMryfMaiMmqdSf+V rxaKOsYwh5vr6IddVBQAQF+OmVBj71wfsydl71HvZdp4vLCZcr8EgpaQPFjltC// 2EEsQ7dsfJIGY9GfarYPVuwLN2psqiUkf1x1KvEPzcSFJn+w0LLx2qxeGwFc3X0m 11MYp+v0C1LVmYwaf+vNrnMf537sN+K8s6pN80Hf+t7lB3hEmilyeaPoXWxOyF8s t3hAJ6isrhTZ10xqX6nFz1I69piNp4IEJQ7SgbXJoI8BJEDucYC99G/VBaB2j3WA JdXI5I1fZZ/rTPT3EcBrM8psMWJmOGNUBnZmJfFpalIfkrD9OqKkvtovNm+EF/we XHadO9HsP5kU7/eTgBEf =Uq/q -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: several SOGo issues (DOS, XSS, information leakage) Jens Erat (Jul 08)
- Re: CVE request: several SOGo issues (DOS, XSS, information leakage) cve-assign (Jul 09)