SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (E-mail Server)  >   Open-Xchange Vendors:   Open-Xchange Inc.
Open-Xchange Bugs Permit Cross-Site Scripting and File Disclosure Attacks
SecurityTracker Alert ID:  1029650
SecurityTracker URL:  http://securitytracker.com/id/1029650
CVE Reference:   CVE-2013-7140, CVE-2013-7141, CVE-2013-7142, CVE-2013-7143   (Links to External Site)
Date:  Jan 20 2014
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 7.2.2-rev29, 7.4.0-rev24, 7.4.1-rev17
Description:   Several vulnerabilities were reported in Open-Xchange. A remote user can conduct cross-site scripting attacks. A remote authenticated user can view files on the target system.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Open-Xchange software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Certain '<%' tags can trigger this flaw on Internet Explorer version 9 and prior [CVE-2013-7141].

Certain oAuth API call parameters are affected [CVE-2013-7142].

The title of a mail filter rule can trigger this flaw [CVE-2013-7143].

The CalDAV interface does not properly validate user-supplied input [CVE-2013-7140]. A remote authenticated user can supply specially crafted XML external entity data to view files on target system.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Open-Xchange software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated user can view files on the target system.

Solution:   The vendor has issued a fix (7.2.2-rev29, 7.4.0-rev24, 7.4.1-rev17).
Vendor URL:  www.open-xchange.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 17 Jan 2014 12:15:23 +0100 (CET)
Subject:  Open-Xchange Security Advisory 2014-01-17

Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH


Internal reference: 30357 (Bug ID)
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page)
Vulnerable version: 7.4.1 and earlier
Vulnerable component: backend
Fixed version: 7.2.2-rev29, 7.4.0-rev24, 7.4.1-rev11
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2013-12-17
Solution date: 2013-12-23
Public disclosure: 2014-01-17
CVE reference: CVE-2013-7141
CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:U/RC:C/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Embedding Javascript code with certain "<%" tags can lead to script execution within the users context. This vulnerability is exclusive to users using Internet Explorer 9 or lower.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Solution:
Users should update to the latest available patch releases. Users should avoid opening E-Mail attachments or files from untrusted sources. Users should avoid using outdated versions of Internet Explorer.



Internal reference: 30358 (Bug ID)
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page)
Vulnerable version: 7.4.1 and earlier
Vulnerable component: backend
Fixed version: 7.2.2-rev29, 7.4.0-rev24, 7.4.1-rev11
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2013-12-17
Solution date: 2013-12-23
Public disclosure: 2014-01-17
CVE reference: CVE-2013-7142
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Embedding Javascript code with certain parameters of oAuth API calls can lead to reflected script execution within the users context and a trusted domain.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions like sending mail, deleting data etc. Also, the user may be lured to untrusted content while still working within the context of a trusted domain.

Solution:
Users should update to the latest available patch releases. Users should avoid opening hyperlinks from untrusted sources.



Internal reference: 30359 (Bug ID)
Vulnerability type: CWE-36: Absolute Path Traversal
Vulnerable version: 7.4.1 and earlier
Vulnerable component: backend
Fixed version: 7.2.2-rev29, 7.4.0-rev24, 7.4.1-rev11
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2013-12-17
Solution date: 2013-12-23
Public disclosure: 2014-01-17
CVE reference: CVE-2013-7140
CVSSv2: 7.4 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Using forged requests against the CalDAV interface can be used to reveal file contents stored at the server system. The SAX builder used to deserialize posted XML bodies at the WebDAV interface was used with the default values, thus potentially vulnerable against XML external entity attacks (XXE). 

Risk:
Content of the requested file is returned to the attacker. This can be used to spy on credentials, configuration or other sensitive data stored at the server.

Solution:
Users should update to the latest available patch releases. The CalDAV interface should be disabled until a solution is provided.



Internal reference: 30368 (Bug ID)
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page)
Vulnerable version: 7.4.1
Vulnerable component: frontend
Fixed version: 7.4.1-rev7
Report confidence: Confirmed
Solution status: Fixed by Vendor
Vendor notification: 2013-12-18
Solution date: 2013-12-23
Public disclosure: 2014-01-17
CVE reference: CVE-2013-7143
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Embedding Javascript code with the title of a mail filter rule leads to execution of the embedded code. This enables a stored cross-site scripting vulnerability that may be used in conjunction with other vulnerabilities or social engineering that placed malicious code at the vulnerable location.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions like sending mail, deleting data etc.

Solution:
Users should update to the latest available patch releases. Users should not grant other users access to their account.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC