OX Documents 7.10.5 Improper Authorization ≈ Packet Storm

Product: OX Documents
Vendor: OX Software GmbH

Internal reference: DOCS-3199
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: imageconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev14, 7.10.4-rev8, 7.10.5-rev5
Vendor notification: 2021-01-26
Solution date: 2021-02-16
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28093
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Vulnerability Details:
Converted images are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (Adler32) to create cache keys, vulnerable accidental or purposeful hash colissions.

Risk:
Image content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity.

Steps to reproduce:
1. Create two image files that would generate the same hash key
2. Upload both files
3. View Image A
4. View Image B - The content of Image A will be served from the cache

Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.

---

Internal reference: DOCS-3200
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev34, 7.10.4-rev20, 7.10.5-rev7
Vendor notification: 2021-01-26
Solution date: 2021-02-15
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28094
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Vulnerability Details:
Converted documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions.

Risk:
Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity.

Steps to reproduce:
1. Create two document files that would generate the same hash key
2. Upload both files
3. View document A
4. View document B - The content of document A will be served from the cache

Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.

---

Internal reference: DOCS-3201
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev10, 7.10.4-rev8, 7.10.5-rev5
Vendor notification: 2021-01-26
Solution date: 2021-02-15
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28095
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Vulnerability Details:
Documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions.

Risk:
Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity.

Steps to reproduce:
1. Create two documents that contain XML structures which create a hash collision
2. Upload both files
3. Edit document A
4. Edit document B - The content of document A will be served from the cache

Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.

Read more