CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Hello all,

it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.

In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).

However...

There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).

The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?

Can someone from Zimbra/Synacor make a clear statement on all this?
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Checked a little further (thanks to Malte), 8.6 is actually vulnerable (the bad code is in).

This is insane.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by barrydegraaff »

According to Malte Stretz: These are the last two XSS issues fixed:
https://github.com/Zimbra/zm-web-client ... 924b915d68
https://github.com/Zimbra/zm-web-client ... 3dfebc5504

I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

It looks like a patch for 8.0 to 8.5 is available here:
https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79

The upstream is here, as Malte found:
https://github.com/Zimbra/zm-web-client ... 3dfebc5504

This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/co ... zimbra_url

8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.

So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).


About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:

Code: Select all

                                        if (appCtxt.get(ZmSetting.VIEW_AS_HTML)) {
                                                html.push(content);
                                        } else {
                                                // bug fix #31840 - convert HTML to text
                                                var div = document.createElement("div");
                                                div.innerHTML = content;
                                                var convert = AjxStringUtil.convertHtml2Text(div);

                                                html.push(hasHtmlPart ? "<pre>" : "");
                                                html.push(AjxStringUtil.htmlEncode(convert));
                                                html.push(hasHtmlPart ? "</pre>" : "");
                                        }
And the patch in 92d2886277e7d8d4f4835a26355fa93dfebc5504:

Code: Select all

         else if (isHtml) {
             if (htmlMode) {
                 // fix broken inline images - take one like this: <img dfsrc="http:...part=1.2.2">
                 // and make it look like this: <img dfsrc="cid:DWT123"> by looking up the cid for that part
                 if (msg._attachments && ZmMailMsgView.IMG_FIX_RE.test(content)) {
                     var partToCid = {};
                     for (var j = 0; j < msg._attachments.length; j++) {
                         var att = msg._attachments[j];
                         if (att.contentId) {
                             partToCid[att.part] = att.contentId.substring(1, att.contentId.length - 1);
                         }
                     }
                     content = content.replace(ZmMailMsgView.IMG_FIX_RE, function(s, p1, p2, p3) {
                         return partToCid[p2] ? [ p1, '"cid:', partToCid[p2], '"', p3 ].join("") : s;
                     });
                 }
             }
             else {
                 // this can happen if a message only has an HTML part and the user wants to view mail as text
 - -                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
+                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"
             }

So it seems the problem there was a missing AjxStringUtil.htmlEncode, but that was there on 8.6. So perhaps 8.6 is not vulnerable.

It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by barrydegraaff »

I think the real problem is the communication and lack of a security overview/summary page where all this stuff is documented.

Because even if stuff gets fixed, after some time, it is hard to understand what happened and when.
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Barry, as I said on the Zeta-Users mailing-list, I'm not sure about 8.6P8 being vulnerable or not.
There are seven (7) different CWE-79 type for vulnerabilities discovered since last 8.6 patch, with different CVE numbers (so they're in different part of the code).

The patch (by Wolfy) you're talking about was including in 8.6P5.
But it fix only CVE-2015-7609.
It does not fix CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and the one without CVE-serial.

There are two different concerns.

One if the lack of communication: is 8.6P8 vulnerable or not?
Was all these vulnerabilities tested against 8.6P8 and what is the result?

The second one is "if 8.6P8 is vulnerable, where are the fixes/patches?".
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

More than a week later, no news from Synacor, Zimbra France nor the PM...
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by phoenix »

Klug wrote:More than a week later, no news from Synacor, Zimbra France nor the PM...
I'm not surprised at the lack or response, are you? I think Zimbra has abandoned these forums. :(
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

I'm not that surprised.

However, the PM is alive.
He reads/posts in this forum and elsewhere (blog post two days ago) so I thought maybe...
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.

Thanks
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Post Reply