Update on June 2022 Zimbra Patch release
https://blog.zimbra.com/2022/06/update-on-june-2022-zimbra-patch-release/ (June 20th 2022)

Reported XSS in zimbra publicly disclosed 3rd

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 721
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P32 RHEL8 Network Edition

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby JDunphy » Sat Feb 05, 2022 12:32 am

I don't know if this helps anyone. I won't be able to do my updates until later so wrote this quickly this morning to give us some more time here. For others, waiting for the official patch is probably more prudent.

What the script does:

0) it needs to run as root because it does a chown zimbra, chmod and zmprov as the zimbra user but it could be all done by zimbra user if you fix that in the script.
1) it backups the original 2 files
2) it patches a few lines to escape some input
3) it flushes the cache (no mailboxd restart is necessary) after running script so you are done

I also had requested the hot fix today and it just came in as I am writing this. I was able to do a diff with that and what my script generated and it appears identical. I claim no understanding of the zimbra code but I can read diff output for the patches. ;-)

It might be useful to someone in a similar situation.

Code: Select all

% cat /tmp/xss-zeroDay.sh
#!/bin/sh
#
# Run as root.
#   will flush the cache so no mailboxd restart is necessary.
#   will only patch once
#
# patch XSS zero day ZBUG-2642 on Feb 4, 2022 as documented here:
#   https://forums.zimbra.org/viewtopic.php?f=15&t=70382
# patched pulled from here (Jholder):
#   https://github.com/Zimbra/zm-web-client/pull/672/commits/76c23a937d2ab40cdfafad1d7a3546bfbf354704
#

multiDay=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
grep escapeXml $multiDay | grep -q newAppt
if [ $? -eq 1 ]; then
   # backup of original
   cp $multiDay $multiDay.bak

   echo "Appying patch to $multiDay"

#
# Want to do this:
#     a href="${newAppt}" 
# to
#     a href="${fn:escapeXml(newAppt)}"
#
perl - $multiDay <<'__HERE__' > $multiDay.out
my $match_str = quotemeta('href="${newAppt}');
my $replace_str = 'href="${fn:escapeXml(newAppt)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $multiDay.out ]; then
      mv $multiDay.out $multiDay
      chown zimbra:zimbra $multiDay
      chmod 644 $multiDay
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc -a all"
   fi

else
  echo "nothing to patch"
fi

# -------- monthView.tag --------------
monthView=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag
grep monthZoomUrl $monthView | grep escapeXml | grep -q dayClick
if [ $? -eq 1 ]; then
   # backup of original
   cp $monthView $monthView.bak

   echo "Appying patch to $monthView"

#
# Want to do this:
#    ${monthZoomUrl}
# to
#    ${fn:escapeXml(monthZoomUrl)}
perl - $monthView <<'__HERE__' > $monthView.out
my $match_str = quotemeta('${monthZoomUrl}');
my $replace_str = '${fn:escapeXml(monthZoomUrl)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $monthView.out ]; then
      mv $monthView.out $monthView
      chown zimbra:zimbra $monthView
      chmod 644 $monthView
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc -a all"
   fi

else
  echo "nothing to patch"
fi

I feel a little uneasy of putting the patch in this format and will take no offense if the board moderators remove this post.

Jim


User avatar
oetiker
Advanced member
Advanced member
Posts: 196
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 9.0.0.GA.3924.UBUNTU18.64 U
Contact:

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby oetiker » Sat Feb 05, 2022 10:14 am

apt-get upgrade gets some new patches from zimbra.
thats probably the fix for the XSS

Get:1 https://repo.zimbra.com/apt/8815 bionic/zimbra amd64 zimbra-mbox-webclient-war amd64 8.8.15.1643976867-1.u18 [21.7 MB]
Get:2 https://repo.zimbra.com/apt/8815 bionic/zimbra amd64 zimbra-patch amd64 8.8.15.1643980846.p30-1.u18 [32.2 MB]

If received two files from the zimbra support

monthView.tag
multiDay.tag

that's the difference to the latest release without the above patches applied... after the apply there is no difference ...


Code: Select all

# diff /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag /local-home/moetiker_adm/monthView.tag
127c127
<                                     <td width="11%" onclick='javascript:dayClick(event, "${monthZoomUrl}");' class='ZhCalMonthDay${currentDay.timeInMillis eq date.timeInMillis ? 'Selected':''}'>
---
>                                     <td width="11%" onclick='javascript:dayClick(event, "${fn:escapeXml(monthZoomUrl)}");' class='ZhCalMonthDay${currentDay.timeInMillis eq date.timeInMillis ? 'Selected':''}'>

Code: Select all

# diff /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag /local-home/moetiker_adm/multiDay.tag
294c294
<                                 <c:if test="${not print}"><a href="${newAppt}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
---
>                                 <c:if test="${not print}"><a href="${fn:escapeXml(newAppt)}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
453c453
<                             <c:if test="${not print}"><a href="${newAppt}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
---
>                             <c:if test="${not print}"><a href="${fn:escapeXml(newAppt)}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
User avatar
andreaswolske
Posts: 35
Joined: Tue Nov 26, 2013 11:24 am
Location: Berlin
ZCS/ZD Version: Release 8.8.15_GA_3829.RHEL7_64_201
Contact:

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby andreaswolske » Sat Feb 05, 2022 11:22 am

Good Morning

I can confirm that as of now (12:20 AM CET) the current patches provided by Zimbra contain the fixes for

Code: Select all

/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag


for Versions 8.8.15 and 9. It's the same changes as in https://github.com/Zimbra/zm-web-client ... bfbf354704

Also Jim Dunphy's Script: viewtopic.php?f=15&t=70382&start=20#p303866 works for outdated 8.7.11 or 8.8.12 installations as well.
You just have to replace the files which are to be found in /opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/
Thank you very much Jim. You've made my day!

If this helps anyone. Here's my modification of Jims Script to apply the patch on older versions of ZCS (8.7.11):

Code: Select all

#!/bin/bash
#
# Run as root.
#   will flush the cache so no mailboxd restart is necessary.
#   will only patch once
#
# patch XSS zero day ZBUG-2642 on Feb 4, 2022 as documented here:
#   https://forums.zimbra.org/viewtopic.php?f=15&t=70382
#
# patched pulled from here (Jholder):
#   https://github.com/Zimbra/zm-web-client/pull/672/commits/76c23a937d2ab40cdfafad1d7a3546bfbf354704
#
# - it needs to run as root because it does a chown zimbra, chmod and zmprov as the zimbra user but it could be all done by zimbra user if you fix that in the script.
# - it backups the original 2 files
# - it patches a few lines to escape some input
# - it flushes the cache (no mailboxd restart is necessary) after running script so you are done
#
# affected files in ZCS 8.8.15 and 9.:
#
# /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
# /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag
#
# affected files in ZCS 8.7.11:
#
# /opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
# /opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag
#

# Run as root

clear

[ "$USER" == "root" ] || { echo "Run me as the root user" ; exit 1; }

# -------- multiDay.tag --------------

# ZCS 8.7.11
multiDay=/opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag

# ZCS 8.8.15
# multiDay=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag



grep escapeXml $multiDay | grep -q newAppt

if [ $? -eq 1 ]; then
   # backup of original
   cp $multiDay $multiDay.bak

   echo "Appying patch to $multiDay"

#
# Want to do this:
#     a href="${newAppt}"
# to
#     a href="${fn:escapeXml(newAppt)}"
#

perl - $multiDay <<'__HERE__' > $multiDay.out
my $match_str = quotemeta('href="${newAppt}');
my $replace_str = 'href="${fn:escapeXml(newAppt)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $multiDay.out ]; then
      mv $multiDay.out $multiDay
      chown zimbra:zimbra $multiDay
      chmod 644 $multiDay
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc all"
   fi

else
  echo "nothing to patch"
fi

# -------- monthView.tag --------------

# ZCS 8.7.11
monthView=/opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag

# ZCS 8.8.15
# monthView=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag

grep monthZoomUrl $monthView | grep escapeXml | grep -q dayClick

if [ $? -eq 1 ]; then

   # backup of original
   cp $monthView $monthView.bak

   echo "Appying patch to $monthView"

#
# Want to do this:
#    ${monthZoomUrl}
# to
#    ${fn:escapeXml(monthZoomUrl)}
#

perl - $monthView <<'__HERE__' > $monthView.out
my $match_str = quotemeta('${monthZoomUrl}');
my $replace_str = '${fn:escapeXml(monthZoomUrl)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $monthView.out ]; then
      mv $monthView.out $monthView
      chown zimbra:zimbra $monthView
       chmod 644 $monthView
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc all"
   fi

else
  echo "nothing to patch"
fi

#
# EOF
#
ghen
Advanced member
Advanced member
Posts: 71
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 8.8.15

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby ghen » Sat Feb 05, 2022 5:15 pm

jholder wrote:
Looks like the attack can somehow circumvent Zimbra's CRSF tokens, which they implement exactly to prevent this kind of XSS attacks...

There is a little wiggle room on the definition of cross site. In this particular instance, it's not actually a cross site attack. The link comes from a specially crafted link in the email, which is on the site. That JS can then do bad things to transmit to a remote source. It's called XSS because the request goes outbound to another site. It's about 50% javascript injection and 50% cross site. So CSRF doesn't flag it.

Thanks John, this is helpful.

One more question on this and the Secure HTTP headers: could a CSP (Content Security Policy) have helped here? As I understand it, in theory CSP can prevent such Javascript injection, however the classic Zimbra UI in 8.8.15 makes heavy use of inline javascript - which CSP discourages - so you would unfortunately not be able to deploy a very strict policy on Zimbra.

CSP has been requested by customers for many years (eg. in the bugtracker and here on the forum), but has not been provided so far. The Security wiki mentions the topic, but does not provide an actual policy either.
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 54
Joined: Tue Mar 29, 2016 1:36 pm

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby jeastman » Sat Feb 05, 2022 5:44 pm

The Security wiki mentions the topic, but does not provide an actual policy either.


Thank you ghen for pointing this out. I will see if I can at least get better steps and maybe some examples added to that.
John Eastman
rainer_d
Posts: 35
Joined: Fri Sep 12, 2014 11:40 pm

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby rainer_d » Sun Feb 06, 2022 8:34 pm

So, the current incarnation of P30 is the one to install, the "real" fix will be P31?

Or will you re-roll P30 once more?

I only heard of this on Saturday evening, via the mail I got from the blog....
User avatar
jholder
Zimbra Employee
Zimbra Employee
Posts: 4824
Joined: Fri Sep 12, 2014 10:00 pm

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby jholder » Mon Feb 07, 2022 1:52 am

rainer_d wrote:So, the current incarnation of P30 is the one to install, the "real" fix will be P31?

Or will you re-roll P30 once more?

I only heard of this on Saturday evening, via the mail I got from the blog....

The patch itself was updated with the changes. So if you've already installed the patch, then using the reinstall switch from your package manager for the package name zimbra-patch will install the updated P30.
P31 will also include this particular fix. If there's any issue, you may use the above script to fix the particular files without patch 30.
ghen
Advanced member
Advanced member
Posts: 71
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 8.8.15

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby ghen » Mon Feb 07, 2022 10:21 am

I think this will cause confusion, as there's now both a vulnerable P30 and a fixed one. The original report said 8.8.15 P30 is vulnerable, what will the upcoming CVE refer to, 8.8.15 P30 as vulnerable or fixed? Better just call this P31 ?
User avatar
oetiker
Advanced member
Advanced member
Posts: 196
Joined: Fri Mar 07, 2014 1:05 pm
Location: Switzerland
ZCS/ZD Version: Release 9.0.0.GA.3924.UBUNTU18.64 U
Contact:

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby oetiker » Mon Feb 07, 2022 10:32 am

Hi

there is still missing a “official” Announcement from Zimbra ... about the XSS bug ...

I think that's not how it should be .... !
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 208
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: Reported XSS in zimbra publicly disclosed 3rd

Postby maxxer » Mon Feb 07, 2022 1:50 pm

The files mentioned in the patches do exist in 9.0 NE.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 42 guests