Headline
OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption
OX App Suite versions 7.10.6 and below suffer from cross site scripting, server-side request forgery, and resource exhaustion vulnerabilities.
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: OXUIB-1654
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16
Vendor notification: 2022-05-23
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-31469
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
The detection mechanism for “deep links” in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
PoC:
<a class="deep-link-app" href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123">
Solution:
We improved deep-link validation to avoid malicious use.
Internal reference: OXUIB-1678
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-05-30
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37307
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Certain content like E-Mail signatures are stored using the “snippets” mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account.
PoC:
<![CDATA[
<bo<script></script>dy>AA<img src onerror="alert(‘XSS’)">BB</body>
]]>
Solution:
We improved the sanitizing algorithm to deal with disguised code.
Internal reference: OXUIB-1731
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37308
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail.
PoC:
…
Content-Type: text/plain
<img src onerror="alert(‘XSS’)">
Solution:
We removed plain-text specific code and use existing sanitization mechanisms for HTML content.
Internal reference: OXUIB-1732
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-06-22
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37309
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Contacts that do not contain a name but only a e-mail address can be used to inject script code to the “contact picker” component, commonly used to select contacts as recipients or participants.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data.
Solution:
We now apply proper HTML escaping to all relevant data sets.
Affected product: OX App Suite
Internal reference: OXUIB-1785
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4
Vendor notification: 2022-07-20
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37310
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login.
Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the “metrics” module is optional, the “help” module is available on all instances.
PoC:
https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t%3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(“"%2b{})[$$f]%2b(“"%2b{})[$f]%2b(“"%2b[][f])[$f]%2b"f”[f$]%2b"t”[$$]%2b"t”[$f]%2b"t"[$t]%2b(“"%2b{})[$$f]%2b"t”[$$]%2b(“"%2b{})[$f]%2b"t”[$f];$$$%3d[][$t$][$t$];$$$(“$$$(‘"%2b’\’%2b$f%2bt$%2b$f%2b’\’%2b$f%2b$$f%2bt$%2b’\’%2b$f%2bt$%2b$$f%2b’\’%2b$f%2b$$t%2b$t%2b’\’%2b$f%2b$$t%2bt$%2b’(‘%2b’"’%2b’\’%2b$f%2bf$%2b$$%2b’\’%2b$f%2b$t%2bf$%2b’\’%2b$f%2b$t%2bf$%2b’"’%2b’)‘%2b"’)();”)()})()
Solution:
We sanitized any non-parsable characters from the capabilities input.
Internal reference: MWB-1712
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37313
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response.
Risk:
Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine “internal” addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.
PoC:
Use API calls to setup an external mail account and provide a attacker controlled domain that returns more than one record. Only the first record will be checked against the deny-list, but the second record may also be used afterwards.
Solution:
We improved the analysis of DNS responses and check all available records against deny-list entries.
Internal reference: MWB-1713
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37312
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes.
Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.
PoC:
Sending a large request body containing a “redirect” URL to the “deferrer” servlet.
Solution:
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
Internal reference: MWB-1714
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3
Vendor notification: 2022-07-14
Solution date: 2022-08-10
Public disclosure: 2022-11-24
CVE reference: CVE-2022-37311
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes.
Risk:
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.
PoC:
Sending a large “location” request parameter to the “redirect” servlet.
Solution:
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
Related news
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.