XSS vulnerability fixed – mailbox.org users optimally protected

Security company „Prosec Networks“ has recently raised awareness of a cross-scripting (XSS) vulnerability in the groupware Open-Xchange. German technology news outlet Heise Security also reported on the issue.

For such an attack to work, the following conditions need to be in place:

1. The victim has clicked on a specially prepared web link that triggers the attack.
2. The victim uses an outdated web browser that doesn’t have any features to protect against cross-scripting or, the web server running Open-Xchange has not been kept up-to-date and so, does not enforce security standards such as XSS protection to be enabled in modern web browsers.

All web servers at mailbox.org are carefully configured for the best security and send specific HTTP settings to the browser of the client. We have been supporting the XSS protection of current browsers for a long time. As a result, all mailbox.org users who use up-to-date and properly configured web browsers were not affected at all by the vulnerability.

The following web browsers have XSS protection features:

• Internet Explorer (IE) 8 and above
• all Webkit-based browsers since 2010 (Google Chrome 4.x and above, Safari, Epiphany, and others
• Firefox since 2009/10, provided the easy-to-install Add-On “NoScript” is active

The vulnerability itself was fixed three weeks ago by means of a security update. Irrespective of that, users should always make sure to use modern web browsers in an up-to-date version, which offers security features that may prevent many such attacks.

Outdated browsers not only lack these features, but they are also exposed to a number of well-known security vulnerabilities, which hackers can take advantage of in their attacks.

We recommend that all users of Mozilla Firefox install and enable the “NoScript” Add-on.