Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
cayaraa
Outstanding Member
Outstanding Member
Posts: 344
Joined: Sat Sep 13, 2014 12:33 am
ZCS/ZD Version: ZCS 10 NE & ZCS 10 FOSS

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by cayaraa »

JDunphy wrote: Wed Oct 09, 2024 4:51 pm Can we do something like this at the nginx level and restart the proxy until we can test and deploy this recent patch that may have non security related updates.

Code: Select all

    location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
    {
        # ZBUG-2706  Memcached poisoning with unauthenticated request
        if ($request_uri ~* "%0A|%0D") {
            return 403;
        }

        #%%% tmp until patch can be tested?
        if ($request_uri ~* "graphql"  && $request_method = GET) {
            return 403;
        }
I don't think the above code works (nginx doesn't like &&). I've been playing around with using this on my test site, and so far, it seems to be working:

Code: Select all

#%%% tmp until patch 10.0.10 can be tested
set $and 1;

if ($request_uri !~* "graphql") {
    set $and 0;
}
if ($request_method != GET) {
    set $and 0;
}
if ($and) {
    return 403;
}
In the following files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template

-Aaron
User avatar
wentum
Advanced member
Advanced member
Posts: 54
Joined: Fri Apr 04, 2014 10:49 am
Location: Pforzheim (Germany)
ZCS/ZD Version: Release 9.0.0.GA.3924 _P30
Contact:

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by wentum »

Hello Aaron,

this sounds really cool!

I checked those mentioned files but I ask myself where to put it there?
Where did you put it to make it work?

Regards
Joerg
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 924
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P42 NETWORK Edition

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by JDunphy »

cayaraa wrote: Tue Oct 22, 2024 8:17 pm
I don't think the above code works (nginx doesn't like &&). I've been playing around with using this on my test site, and so far, it seems to be working:

-Aaron
Nice! ....Thanks for sharing your solution. The only other way I can think of given nginx's limited if directive or your working solution might be the following:

Code: Select all


location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/ {

    # ZBUG-2706  Memcached poisoning with unauthenticated request 
    if ($request_uri ~* "%0A|%0D") {
        return 403;
    }

    # %%% tmp solution until running patched code that disables this.
    if ($request_method = GET) {
        rewrite ^(.*graphql.*) /forbidden last;
        # more rewrite rules below to block future exploits ;-)
    }
    ...
    ...
}

# %%% added to force query's we want to terminate
location = /forbidden {
    return 403;
}
I have not tested this (nginx -t).
User avatar
cayaraa
Outstanding Member
Outstanding Member
Posts: 344
Joined: Sat Sep 13, 2014 12:33 am
ZCS/ZD Version: ZCS 10 NE & ZCS 10 FOSS

Re: Zimbra 10.1.2 Released - Please Post Patch/Upgrade Results Here

Post by cayaraa »

wentum wrote: Wed Oct 23, 2024 12:27 pm Hello Aaron,

this sounds really cool!

I checked those mentioned files but I ask myself where to put it there?
Where did you put it to make it work?

Regards
Joerg
I was putting them under "# ZBUG-2706" just like JDunphy.

-Aaron
Post Reply