what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption

OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption
Posted Nov 30, 2022
Authored by Martin Heiland

OX App Suite versions 7.10.6 and below suffer from cross site scripting, server-side request forgery, and resource exhaustion vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2022-31469, CVE-2022-37307, CVE-2022-37308, CVE-2022-37309, CVE-2022-37310, CVE-2022-37311, CVE-2022-37312, CVE-2022-37313
SHA-256 | ba6b2cbc7f4a93851df3e4965e0195411ca754b70e55778fee524c5fadf9d260

OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption

Change Mirror Download
Product: OX App Suite
Vendor: OX Software GmbH



Internal reference: OXUIB-1654
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16
Vendor notification: 2022-05-23
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-31469
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.

PoC:
<a class="deep-link-app" href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123">

Solution:
We improved deep-link validation to avoid malicious use.



---



Internal reference: OXUIB-1678
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-05-30
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37307
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account.

PoC:
<![CDATA[
<bo<script></script>dy>AA<img src onerror="alert('XSS')">BB</body>
]]>

Solution:
We improved the sanitizing algorithm to deal with disguised code.



---



Internal reference: OXUIB-1731
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37308
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail.

PoC:
...
Content-Type: text/plain
<img src onerror="alert('XSS')">

Solution:
We removed plain-text specific code and use existing sanitization mechanisms for HTML content.



---



Internal reference: OXUIB-1732
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37309
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data.

Solution:
We now apply proper HTML escaping to all relevant data sets.



---



Affected product: OX App Suite
Internal reference: OXUIB-1785
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-07-20
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37310
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances.

PoC:
https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t%3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(""%2b{})[$$f]%2b(""%2b{})[$f]%2b(""%2b[][f])[$f]%2b"f"[f$]%2b"t"[$$]%2b"t"[$f]%2b"t"[$t]%2b(""%2b{})[$$f]%2b"t"[$$]%2b(""%2b{})[$f]%2b"t"[$f];$$$%3d[][$t$][$t$];$$$("$$$('"%2b'\\'%2b$f%2bt$%2b$f%2b'\\'%2b$f%2b$$f%2bt$%2b'\\'%2b$f%2bt$%2b$$f%2b'\\'%2b$f%2b$$t%2b$t%2b'\\'%2b$f%2b$$t%2bt$%2b'('%2b'"'%2b'\\'%2b$f%2bf$%2b$$%2b'\\'%2b$f%2b$t%2bf$%2b'\\'%2b$f%2b$t%2bf$%2b'"'%2b')'%2b"')();")()})()

Solution:
We sanitized any non-parsable characters from the capabilities input.



---



Internal reference: MWB-1712
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37313
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response.

Risk:
Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.

PoC:
Use API calls to setup an external mail account and provide a attacker controlled domain that returns more than one record. Only the first record will be checked against the deny-list, but the second record may also be used afterwards.

Solution:
We improved the analysis of DNS responses and check all available records against deny-list entries.



---



Internal reference: MWB-1713
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37312
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes.

Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.

PoC:
Sending a large request body containing a "redirect" URL to the "deferrer" servlet.

Solution:
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.



---



Internal reference: MWB-1714
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37311
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes.

Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.

PoC:
Sending a large "location" request parameter to the "redirect" servlet.

Solution:
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close