CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
-
- Ambassador
- Posts: 2747
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Hello all,
it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.
In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).
However...
There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).
The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?
Can someone from Zimbra/Synacor make a clear statement on all this?
it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.
In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).
However...
There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).
The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?
Can someone from Zimbra/Synacor make a clear statement on all this?
-
- Ambassador
- Posts: 2747
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Checked a little further (thanks to Malte), 8.6 is actually vulnerable (the bad code is in).
This is insane.
This is insane.
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
According to Malte Stretz: These are the last two XSS issues fixed:
https://github.com/Zimbra/zm-web-client ... 924b915d68
https://github.com/Zimbra/zm-web-client ... 3dfebc5504
I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]
It looks like a patch for 8.0 to 8.5 is available here:
https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79
The upstream is here, as Malte found:
https://github.com/Zimbra/zm-web-client ... 3dfebc5504
This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/co ... zimbra_url
8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.
So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).
About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:
And the patch in 92d2886277e7d8d4f4835a26355fa93dfebc5504:
So it seems the problem there was a missing AjxStringUtil.htmlEncode, but that was there on 8.6. So perhaps 8.6 is not vulnerable.
It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.
https://github.com/Zimbra/zm-web-client ... 924b915d68
https://github.com/Zimbra/zm-web-client ... 3dfebc5504
I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]
It looks like a patch for 8.0 to 8.5 is available here:
https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79
The upstream is here, as Malte found:
https://github.com/Zimbra/zm-web-client ... 3dfebc5504
This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/co ... zimbra_url
8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.
So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).
About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:
Code: Select all
if (appCtxt.get(ZmSetting.VIEW_AS_HTML)) {
html.push(content);
} else {
// bug fix #31840 - convert HTML to text
var div = document.createElement("div");
div.innerHTML = content;
var convert = AjxStringUtil.convertHtml2Text(div);
html.push(hasHtmlPart ? "<pre>" : "");
html.push(AjxStringUtil.htmlEncode(convert));
html.push(hasHtmlPart ? "</pre>" : "");
}
Code: Select all
else if (isHtml) {
if (htmlMode) {
// fix broken inline images - take one like this: <img dfsrc="http:...part=1.2.2">
// and make it look like this: <img dfsrc="cid:DWT123"> by looking up the cid for that part
if (msg._attachments && ZmMailMsgView.IMG_FIX_RE.test(content)) {
var partToCid = {};
for (var j = 0; j < msg._attachments.length; j++) {
var att = msg._attachments[j];
if (att.contentId) {
partToCid[att.part] = att.contentId.substring(1, att.contentId.length - 1);
}
}
content = content.replace(ZmMailMsgView.IMG_FIX_RE, function(s, p1, p2, p3) {
return partToCid[p2] ? [ p1, '"cid:', partToCid[p2], '"', p3 ].join("") : s;
});
}
}
else {
// this can happen if a message only has an HTML part and the user wants to view mail as text
- - content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
+ content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"
}
It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
I think the real problem is the communication and lack of a security overview/summary page where all this stuff is documented.
Because even if stuff gets fixed, after some time, it is hard to understand what happened and when.
Because even if stuff gets fixed, after some time, it is hard to understand what happened and when.
-
- Ambassador
- Posts: 2747
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Barry, as I said on the Zeta-Users mailing-list, I'm not sure about 8.6P8 being vulnerable or not.
There are seven (7) different CWE-79 type for vulnerabilities discovered since last 8.6 patch, with different CVE numbers (so they're in different part of the code).
The patch (by Wolfy) you're talking about was including in 8.6P5.
But it fix only CVE-2015-7609.
It does not fix CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and the one without CVE-serial.
There are two different concerns.
One if the lack of communication: is 8.6P8 vulnerable or not?
Was all these vulnerabilities tested against 8.6P8 and what is the result?
The second one is "if 8.6P8 is vulnerable, where are the fixes/patches?".
There are seven (7) different CWE-79 type for vulnerabilities discovered since last 8.6 patch, with different CVE numbers (so they're in different part of the code).
The patch (by Wolfy) you're talking about was including in 8.6P5.
But it fix only CVE-2015-7609.
It does not fix CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and the one without CVE-serial.
There are two different concerns.
One if the lack of communication: is 8.6P8 vulnerable or not?
Was all these vulnerabilities tested against 8.6P8 and what is the result?
The second one is "if 8.6P8 is vulnerable, where are the fixes/patches?".
-
- Ambassador
- Posts: 2747
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
More than a week later, no news from Synacor, Zimbra France nor the PM...
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
I'm not surprised at the lack or response, are you? I think Zimbra has abandoned these forums.Klug wrote:More than a week later, no news from Synacor, Zimbra France nor the PM...
-
- Ambassador
- Posts: 2747
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
I'm not that surprised.
However, the PM is alive.
He reads/posts in this forum and elsewhere (blog post two days ago) so I thought maybe...
However, the PM is alive.
He reads/posts in this forum and elsewhere (blog post two days ago) so I thought maybe...
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.
Thanks
I will ask Engineering if they can help us to provide some clarity on the issue.
Thanks