CVE-2016-4027
CVSS3.5
发布时间 :2016-12-15 01:59:06
修订时间 :2016-12-16 12:49:10
NMPS    

[原文]An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account.


[CNNVD]CNNVD数据暂缺。


[机译]Google 翻译(企业版):

- CVSS (基础分值)

CVSS分值: 3.5 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-200 [信息暴露]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4027
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4027
(官方数据源) NVD

- 其它链接及资源

http://packetstormsecurity.com/files/137599/Open-Xchange-App-Suite-7.8.1-Information-Disclosure.html
(VENDOR_ADVISORY)  CONFIRM  http://packetstormsecurity.com/files/137599/Open-Xchange-App-Suite-7.8.1-Information-Disclosure.html
http://www.securityfocus.com/archive/1/archive/1/538732/100/0/threaded
(VENDOR_ADVISORY)  CONFIRM  http://www.securityfocus.com/archive/1/archive/1/538732/100/0/threaded
http://www.securitytracker.com/id/1036157
(VENDOR_ADVISORY)  SECTRACK  1036157

- 漏洞信息 (F137599)

Open-Xchange App Suite 7.8.1 Information Disclosure (PacketStormID:F137599)
2016-06-22 00:00:00
Martin Heiland  
exploit,info disclosure
CVE-2016-4027
[点击下载]

Open-Xchange App Suite versions 7.8.1 and below suffer from an information disclosure vulnerability.

Product: OX App Suite
Vendor: OX Software GmbH

Internal reference: 45328 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev43, 7.6.3-rev11, 7.8.0-rev23, 7.8.1-rev10
Vendor notification: 2016-04-14
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4027
CVSS: 2.4 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct.

Risk:
Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a users account.

Steps to reproduce:
1. Use token-login to forward a client with authentication credentials
2. Within the login string, set the "store" parameter to "false"
3. Observe the cookie settings for the client

Solution:
Users should always logout from their session when not using the application for a extended period of time. Operators and users can enable automatic log-out. Operators should deploy the latest Patch Release.



Affected product: OX Guard
Internal reference: 45292 (Bug ID)
Vulnerability type: Information Exposure (CWE-209)
Vulnerable version: 2.4.0
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed versions: 2.4.0-rev8
Vendor notification: 2016-04-13
Solution date: 2016-04-21
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4028
CVSS: 4.4 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
OX Guard uses an authentication token to identify and transfer guest users credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on wheather the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers for guess the correct padding.

Risk:
Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest users "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker.

Solution:
The API now delivers consistent responses regardless if the padding has been successfully guessed. This will mitigate the attack vector. Future releases may remove usage of AES-CBC to solve the root-cause completely. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45312 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-13
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Mohamed Khaled Fathy
CVE reference: CVE-2016-4026
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Attackers can use this issue for filter evasion to inject script code later on.

Solution:
Users should not open content from untrusted sources, to safeguard the client-side, HTTP headers like CSP can be set. Users should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45295 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.6.3 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-13
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4026
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
In case the legacy AJP connector is used (available till 7.6.3), a specific error case can be used to execute script conde in the users context. A file needs to be uploaded to Drive and its MIME-Type needs to be altered in a way that it passes the syntax check but triggers an error while processing the download. In case of this event, the related error page reflects the file name to the requesting client. If a attacker has also renamed the file name in a way that it contains script code, that code gets executed. When using the recent Grizzly connector, this vulnerability does not occur since the response is part of the header. Even though we changed the code to avoid returning user input with HTTP headers when using Grizzly.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.

Solution:
Users should not open links from untrusted sources, to safeguard the client-side, HTTP headers like CSP can be set. Users should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45401 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-19
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4045
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.

Solution:
Users should not subscribe to RSS feeds from untrusted sources and should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45363 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.0 and 7.8.1
Vulnerable component: documents frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-16
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Saeed Hashem
CVE reference: CVE-2016-4045
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/RC:C)

Vulnerability Details:
Users can add comments to documents in review mode. In case a user has set script code as first- or last-name, that code might get executed in the context of other users which work on "review" of the document at the same time.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work.

Solution:
Users should not open text documents from untrusted sources and should enable the XSS protection feature of their browsers. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45364 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.8.0 and 7.8.1
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.0-rev30 (backend), 7.8.0-rev23 (frontend), 7.8.1-rev11
Vendor notification: 2016-04-16
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Saeed Hashem
CVE reference: CVE-2016-4048
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages.

Risk:
Users may get tricked to follow instructions injected by third parties as part of social engineering attacks.

Solution:
Users should not open links from untrusted sources or follow instructions regarding their credentials. We changed the behaviour in a way that the client is now required to provide a token in order to get a specific message shown at the login screen. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45386 (Bug ID)
Vulnerability type: XML External Entity References (CWE-611)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: documents backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev14, 7.6.3-rev3, 7.8.0-rev7, 7.8.1-rev8
Vendor notification: 2016-04-18
Solution date: 2016-05-10
Public disclosure: 2016-06-22
Researcher credits: Deepanker Chawla
CVE reference: CVE-2016-4047
CVSS: 4.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N)

Vulnerability Details:
References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result a attacker can track access to a manipulated document.

Risk:
Usage of a document may get tracked and information about internal infrastructure may get exposed.

Solution:
Users should not open documents from untrusted sources. Operators shall restrict access to external resources on a network level. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45366 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-17
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4046
CVSS: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)

Vulnerability Details:
The API to configure external mail accounts can be abused to map and acess network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existance of hosts and services can be gathered.

Risk:
Attackers can get internal configuration information about the infrastructure of a operator to prepare subsequent attacks.

Solution:
Operators shall restrict access to internal and external resources on a network level. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45402 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-19
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVE reference: CVE-2016-4046
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)

Vulnerability Details:
The API to configure RSS feeds can be abused to map and acess network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existance of hosts and services can be gathered.

Risk:
Attackers can get internal configuration information about the infrastructure of a operator to prepare subsequent attacks.

Solution:
Operators shall restrict access to internal and external resources on a network level. Operators should deploy the latest Patch Release.



Affected product: OX App Suite
Internal reference: 45405 (Bug ID)
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: 7.8.1 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev54, 7.6.3-rev11, 7.8.0-rev30, 7.8.1-rev11
Vendor notification: 2016-04-19
Solution date: 2016-05-10
Public disclosure: 2016-06-22
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
Configuring RSS feeds allows to provide an arbitrary URL to fetch feed data. Response checks make sure only valid XML gets processed but they do not apply limits to file size. As a result, processing of large XML resources can be triggered which leads to high resource usage and potentially reduces service availability.

Risk:
Attackers can reduce system availability and responsiveness.

Solution:
Operators should deploy the latest Patch Release.


Best regards,
 Martin Heiland, Open-Xchange GmbH
    

- 漏洞信息

Open-Xchange AppSuite CVE-2016-4027 Information Disclosure Vulnerability
Design Error 91354
Yes No
2016-06-22 12:00:00 2016-06-22 12:00:00
The vendor reported this issue.

- 受影响的程序版本

- 漏洞讨论

Open-Xchange App Suite is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.

Open-Xchange AppSuite 7.8.1 and prior are vulnerable.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站