CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Klug
Elite member
Elite member
Posts: 2284
Joined: Mon Dec 16, 2013 11:35 am
Contact:

CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Jan 12, 2018 9:40 am

Hello all,

it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.

In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).

However...

There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).

The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?

Can someone from Zimbra/Synacor make a clear statement on all this?


Klug
Elite member
Elite member
Posts: 2284
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Jan 12, 2018 12:51 pm

Checked a little further (thanks to Malte), 8.6 is actually vulnerable (the bad code is in).

This is insane.
User avatar
barrydegraaff
Posts: 49
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby barrydegraaff » Wed Jan 17, 2018 8:16 am

According to Malte Stretz: These are the last two XSS issues fixed:
https://github.com/Zimbra/zm-web-client ... 924b915d68
https://github.com/Zimbra/zm-web-client ... 3dfebc5504

I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

It looks like a patch for 8.0 to 8.5 is available here:
https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79

The upstream is here, as Malte found:
https://github.com/Zimbra/zm-web-client ... 3dfebc5504

This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/co ... zimbra_url

8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.

So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).


About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:

Code: Select all

                                        if (appCtxt.get(ZmSetting.VIEW_AS_HTML)) {
                                                html.push(content);
                                        } else {
                                                // bug fix #31840 - convert HTML to text
                                                var div = document.createElement("div");
                                                div.innerHTML = content;
                                                var convert = AjxStringUtil.convertHtml2Text(div);

                                                html.push(hasHtmlPart ? "<pre>" : "");
                                                html.push(AjxStringUtil.htmlEncode(convert));
                                                html.push(hasHtmlPart ? "</pre>" : "");
                                        }

And the patch in 92d2886277e7d8d4f4835a26355fa93dfebc5504:

Code: Select all

         else if (isHtml) {
             if (htmlMode) {
                 // fix broken inline images - take one like this: <img dfsrc="http:...part=1.2.2">
                 // and make it look like this: <img dfsrc="cid:DWT123"> by looking up the cid for that part
                 if (msg._attachments && ZmMailMsgView.IMG_FIX_RE.test(content)) {
                     var partToCid = {};
                     for (var j = 0; j < msg._attachments.length; j++) {
                         var att = msg._attachments[j];
                         if (att.contentId) {
                             partToCid[att.part] = att.contentId.substring(1, att.contentId.length - 1);
                         }
                     }
                     content = content.replace(ZmMailMsgView.IMG_FIX_RE, function(s, p1, p2, p3) {
                         return partToCid[p2] ? [ p1, '"cid:', partToCid[p2], '"', p3 ].join("") : s;
                     });
                 }
             }
             else {
                 // this can happen if a message only has an HTML part and the user wants to view mail as text
 - -                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
+                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"
             }


So it seems the problem there was a missing AjxStringUtil.htmlEncode, but that was there on 8.6. So perhaps 8.6 is not vulnerable.

It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.
User avatar
barrydegraaff
Posts: 49
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby barrydegraaff » Wed Jan 17, 2018 8:25 am

I think the real problem is the communication and lack of a security overview/summary page where all this stuff is documented.

Because even if stuff gets fixed, after some time, it is hard to understand what happened and when.
Klug
Elite member
Elite member
Posts: 2284
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Wed Jan 17, 2018 9:12 am

Barry, as I said on the Zeta-Users mailing-list, I'm not sure about 8.6P8 being vulnerable or not.
There are seven (7) different CWE-79 type for vulnerabilities discovered since last 8.6 patch, with different CVE numbers (so they're in different part of the code).

The patch (by Wolfy) you're talking about was including in 8.6P5.
But it fix only CVE-2015-7609.
It does not fix CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and the one without CVE-serial.

There are two different concerns.

One if the lack of communication: is 8.6P8 vulnerable or not?
Was all these vulnerabilities tested against 8.6P8 and what is the result?

The second one is "if 8.6P8 is vulnerable, where are the fixes/patches?".
Klug
Elite member
Elite member
Posts: 2284
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Tue Jan 23, 2018 8:04 am

More than a week later, no news from Synacor, Zimbra France nor the PM...
phoenix
Ambassador
Ambassador
Posts: 25772
Joined: Fri Sep 12, 2014 9:56 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby phoenix » Tue Jan 23, 2018 9:42 am

Klug wrote:More than a week later, no news from Synacor, Zimbra France nor the PM...
I'm not surprised at the lack or response, are you? I think Zimbra has abandoned these forums. :(
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
Klug
Elite member
Elite member
Posts: 2284
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Wed Jan 24, 2018 9:30 am

I'm not that surprised.

However, the PM is alive.
He reads/posts in this forum and elsewhere (blog post two days ago) so I thought maybe...
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Wed Jan 24, 2018 9:39 pm

Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.

Thanks
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 14 guests