OX App Suite: Vulnerabilities identified by 7Safe pen tester


OX App Suite By Michael Shuff | 24 April 2017

7Safe’s James Dale has successfully reported two security vulnerabilities found in OX App Suite from Open-Xchange via the company’s Hackerone Bug Bounty program (https://hackerone.com/bug-bounty-programs).

OX App Suite is a modular platform designed for Telco's, Hosters and Providers that delivers a wide range of cloud based services. It lets customers create bundles for both existing target markets as well as drive trial, experimenting into niche markets. This flexibility allows them to deliver more effectively against revenue objectives.

Since OX App Suite APIs and source code are both publicly documented and exposed, Open-Xchange relies on strong authentication, crypto implementations, and delivery of the software in a way that it comes with secure defaults. Accepting that no technology is perfect, Open-Xchange believes that working with skilled security researchers across the globe is crucial in identifying weaknesses and build trust in technology. When doing their estimation they use CVSS and map the score against defined payout-grades. Certain aspects are of importance when considering the reward for a specific issue, for example:

  • Does it affect all users or would a practical attack require significant effort to compromise a wider range of users?
  • What level of authentication at the attacker and victim side is required to make the attack work?
  • Are social-engineering vectors (e.g. phishing) required to execute the vulnerability?
  • Is the attack vector remotely exploitable and are multiple steps required to execute it?
  • Does the attack require interaction of the victim to be effective?
  • Does the attack rely on weaknesses in third party components on the victim’s side?

Release notes for Open Xchange App suite 7.8.3 contain the following ‘Credits to kltdwd’ [James Dale’s handle] detailing the two severe-rated vulnerabilities in OX App Suite that James identified:

47824 XSS with user pictures
When using SVG images as user picture, script code may get embedded and executed when forging specific links. This got solved by denying SVG content as picture and sanitizing existing data.
CVE-2016-6850, Credits to kltdwd.

48083 XSS for Drive and Mail attachments
A new pattern was discovered that allowed a bypass of the existing sanitizer and execute script code payload within HTML files. It got fixed by adapting the sanitizer.
CVE-2016-6850, Credits to kltdwd.

James Dale works at 7Safe, the specialist cyber security arm of PA Consulting, in the advanced penetration testing team headed by Aleksander Gorkowienko. James is based in London Victoria.


#   #   #

You can read more about PA & 7Safe in a series of ‘Cyber Trump Cards’ to help PA Consultants and client organisations to understand both the problems/issues and how to address them, with help from the 7Safe cyber experts:

https://www.7safe.com/about-7Safe/downloads/cyber-trump-cards

 

Accepting that no technology is perfect, Open-Xchange believes that working with skilled security researchers across the globe is crucial in identifying weaknesses and build trust in technology.

« BACK

« Back