OWASP P13 and P4 removing css display attribute

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 899
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: OWASP P13 and P4 removing css display attribute

Post by JDunphy »

Hi Mark,

Curiosity got the better of me and we are testing this right now. Preheaders are cooked and a nit (don't care as much) but some email can still do preview headers by turning off line height, max width, opacity zero, etc, etc vs display:none which no longer works with P13/P4.

Costco and Walmart emails don't display properly with random images overlaying/floating on top of other images. Pretty much what we expected. So any email with lots of images could be a problem. If it is one image after another then it should be fine and I doubt anyone would notice or care... Washington Post appears to be fine as a result. Best Buy renders like it is 1997. We laughed out loud when we saw that one.

I switched it off the test machine and we retested the same emails:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
Everything looks great again.

If it was ugly that would be one thing but when you can't read the email that could be a show stopper.

It's a tough call. Certainly fixing the inline images in signatures is a strong reason to apply the patch if you have owasp enabled.

Jim
Top
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 899
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: OWASP P13 and P4 removing css display attribute

Post by JDunphy »

FYI,

I just saw this in 8.8.15 release notes: fixed: "CSRF through local post embedded in Mail Message" ... which makes me think the issue is obfuscation and tricking the user into clicking on a local link which could be really bad because they are authenticated. Is there another pathway to that SSRF or XSS attack we all saw in April from here?

Ref: https://www.owasp.org/index.php/Cross-S ... ery_(CSRF)

The release notes: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15 quietly walks away from the css display issue. We don't know if they have removed that capability completely going forward or they have fixed the issue. Root cause seems to be the trust they have established to support the admin API but that is speculation on my part.

These are interesting times for sure!
Top
kdbruyne10
Posts: 2
Joined: Fri Aug 23, 2019 10:35 am

Re: OWASP P13 and P4 removing css display attribute

Post by kdbruyne10 »

JDunphy wrote:Hi Mark,

Curiosity got the better of me and we are testing this right now. Preheaders are cooked and a nit (don't care as much) but some email can still do preview headers by turning off line height, max width, opacity zero, etc, etc vs display:none which no longer works with P13/P4.

Costco and Walmart paystub emails don't display properly with random images overlaying/floating on top of other images. Pretty much what we expected. So any email with lots of images could be a problem. If it is one image after another then it should be fine and I doubt anyone would notice or care... Washington Post appears to be fine as a result. Best Buy renders like it is 1997. We laughed out loud when we saw that one.

I switched it off the test machine and we retested the same emails:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
Everything looks great again.

If it was ugly that would be one thing but when you can't read the email that could be a show stopper.

It's a tough call. Certainly fixing the inline images in signatures is a strong reason to apply the patch if you have owasp enabled.

Jim
Thank you so much for writing it clearly
Top
Post Reply

Return to “Administrators”