Open-Xchange Security Advisory 2013-08-16
Product: Open-Xchange AppSuite / HTMLCleaner
Vendor: Open-Xchange GmbH / HTMLCleaner team
Internal reference: 27708 (Open-Xchange Bug ID), 86 (HTMLcleaner ticket)
Vulnerability type: Race condition within a thread (CWE-366)
Vulnerable version: 7.2.2
Vulnerable component: backend
Fixed version: 7.2.2-rev13
Solution status: Fixed by Vendor (Open-Xchange), Fixed by third party (HTML=
Cleaner)
Vendor notification: 2013-07-22
Solution date: 2013-08-06
Public disclosure: 2013-08-16
CVE reference: CVE-2013-5035
CVSSv2: 7.6 (AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:U/RC:C/CDP:H/TD:H/CR:ND/IR:N=
D/AR:ND)
Vulnerability Details:
If multiple requests to save E-Mail as =E2=80=9Cdraft=E2=80=9D, or send E-M=
ail, occur within a very narrow window of time, it is possible that E-Mail =
content get swapped between requests. The root cause for this is a HTML san=
itising library that turned out not to be thread-safe despite it claims to =
be. Further research showed, that the issue has been introduced with OX 7.2=
..2 by updating to the latest version of this library (2.2 to 2.5). OX Versi=
ons 7.2.1 and earlier are not vulnerable.
Risk:
Not properly handling concurrent access within the sanitising library leads=
to a potential privacy issue. Content can become modified unintentionally =
or available to unprivileged users and recipients, when mixing with other u=
sers content while processing mail. An attacker could potentially trigger a=
lot of these requests to provoke content switches in order to randomly acc=
ess mail content and personal data. Apart from using the library for this s=
pecific use-case, results for general HTML sanitising under high load may n=
ot be accurate and could contain corrupted content.
Steps to reproduce:
1. Have a multiple clients constantly saving draft mail or sending mail (qu=
icker than 100ms per mail)
Proof of concept:
The issue has been reproduced using Unit tests, load tests and has been con=
firmed by the HTMLcleaner development team. At typical load, we experienced=
a probability of less than 0.5% that mail content of the same client eithe=
r gets duplicated or mixed with mail content of another client. Higher syst=
em load and concurrent usage (per OX node) leads to a higher probability th=
at this issue can arise.
We have reported this issue back to the maintainers of the library, adding =
a test case and proof-of-concept code. The issue has been fixed with HTMLCl=
eaner 2.6, see http://sourceforge.net/p/htmlcleaner/bugs/86/ for more detai=
ls.
Solution:
The solution is to create one instance of the sanitizer per request rather =
than passing multiple requests to the same instance. This avoids potential =
multithreading issues using this library, however it does not solve the roo=
t cause and other consumers of this library should either downgrade, upgrad=
e or implement a similar workaround.
Users should update to the latest available patch releases 7.2.2-rev13
Martin Braun
Open-Xchange GmbH