Document Title: =============== Zimbra 7.2 NE & OSE 7.2 GA - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=581 Release Date: ============= 2012-06-14 Vulnerability Laboratory ID (VL-ID): ==================================== 581 Common Vulnerability Scoring System: ==================================== 4.5 Product & Service Introduction: =============================== Zimbra Collaboration Server is an enterprise-class open source email, calendar and collaboration server. With the most innovative web application available today, Zimbra boosts the productivity of users on any desktop and dramatically reduces TCO compared to legacy platform vendors. Other key advantages include advanced compatibility with existing desktop email clients, over-the-air sync to smartphones (iPhone, Android, BlackBerry) as well as better server scalability and more efficient administration. Zimbra Collaboration Server is the most capable open source email and collaboration suite available today. Far outstripping what is possible with simple open source mail servers, Zimbra provides organizations major productivity boosts with global address lists, shared calendars and document management on the web or offline with Zimbra Desktop. Support for standard protocols enables use of virtually any desktop client or device for added end user flexibility. Installation and administration is straightforward; all the interdependent components required by Zimbra are packaged within the server, eliminating any integration work by the administrator and management of the system is easily performed using the rich AJAX Admin Console. A vibrant community of IT experts, who are capable of handling most technical questions, supports Zimbra Collaboration Server Open Source Edition. The commercial version for Zimbra Collaboration Server is free to try and can always be reverted back to open source. (Copy of the Vendor Homepage: http://www.zimbra.com ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in Zimbra 7.2 Network Edition & Open Source Edition 7.2 GA. Vulnerability Disclosure Timeline: ================================== 2012-05-18: Researcher Notification & Coordination 2012-05-22: Vendor Notification 2012-06-03: Vendor Response/Feedback 2012-06-09: Vendor Fix/Patch 2012-06-15: Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== VMware Product: Zimbra Network Edition & Zimbra Open Source Edition 7.2 & 7.2 GA Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple persistent input validation vulnerabilities are detected in Zimbra 7.2 Network Edition & Open Source Edition 7.2 GA. The bugs allow remote attackers to implement/inject malicious script code on the application-side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged application user account. The first vulnerability is located in the favoritenliste & the bound ajax exception handling. Attackers can inject malicious script code as `Adresse des Favoriten`. The script code executes (persistent) the dbms stored context via exception-handling out of the invalid address error. The second vulnerability is located in the alarm function of the Aufgaben - Einstellungen für Benachrichtigungen. Attacker can start an Event with malicious script code inside of the date input fields. The result is a persistent execution out of the exception-handling to all event or aufgaben viewers. The third vulnerability is located in the Neuer Kontakt Adresse input field. Attackers can implement new users with malicious script code. After the inject the script code executes (persistent) out of the user account listing (output) index context. The last issue is located on the CSV Contact import and export. Attacker can form malicious cvs files with script code inside of the user contact details. After the import the script code executes (persistent) out of the zimbra application context. Vulnerable Section(s): [+] Adressbuch >Neuer Kontakt - Adresse [+] FavoritenListe > Exception Handling [Invalid - Exception Handling] > Adresse [+] Aufgaben > Einstellungen für Benachrichtigungen > Exception Handling [+] File Import/Export > Ort Name > CSV Vulnerable Module(s): [+] [Adresse - Name] [+] [Adresse - Exception Handling] [+] [Date] [+] [Ort Name] Vulnerable Parameter(s): [+] ImgNodeCollapsed [+] DwtMsgArea DWT76_Msg DWT95_notes [+] contactHeader & companyName [+] ZmReminderDialog Proof of Concept (PoC): ======================= The persistent Web Vulnerabilities can be exploited by remote attacker with low required user inter action. For demonstration or reproduce ... Review: Aufgabenerinnerung > Alarm > Ort
Review: Adressbuch > Neuer Kontakt > Adresse
"><[PERSISTENT SCRIPT CODE EXECUTION!]") <
Wann: Von 30. Apr 2012 bis 6. Jun 2012
Ort: "><[PERSISTENT SCRIPT CODE EXECUTION!]")' <
Exception Handling [Invalid] > Adresse ... or
#1: "> <[PERSISTENT SCRIPT CODE EXECUTION!]") <
Leider ist ""><[PERSISTENT SCRIPT CODE EXECUTION!]) <" kein gültiger Name. Er enthält mindestens ein ungültiges Zeichen.
#1: "><[PERSISTENT SCRIPT CODE EXECUTION!]") <
... or
"><[PERSISTENT SCRIPT CODE EXECUTION!]") <
"><[PERSISTENT SCRIPT CODE EXECUTION!]") <
Review: Contacts > Export/Import > CSV "First Name","Last Name","Middle Name","Name","Nickname","E-mail Address","Home Street","Home City", "Home Postal Code","Home State","Home Country","Home Phone","Home Fax","Mobile Phone","Personal Web Page", "Business Street","Business City","Business Postal Code","Business State","Business Country","Business Web Page", "Business Phone","Business Fax","Pager","Company","Job Title","Department","Office Location","Notes" "","","","","""> <[PERSISTENT SCRIPT CODE EXECUTION!]") <","","","","","","","","","","","","","","","","","","","","","","","","" "Alan", "Ajax","","","","alan@zcsdemo.com","1600 Pennstate ave Ste 1230 Springfield, IL","","","","","","","","","","","", "","","","","","","","","","","" "asd","asdasd","","","","","""><[PERSISTENT SCRIPT CODE EXECUTION!]") <","","","","", "","","","""><[PERSISTENT SCRIPT CODE EXECUTION!]") <","","","","","","","","","","jherfed","fdgdfwwsdfds","","", """><[PERSISTENT SCRIPT CODE EXECUTION!]") <" "Laura","Linux","","","","laura@atozdomain.com","7070 W. Peter Pan St. Quahog, RI","","","","","","","728-555-9090","","","","","","","","","","","","","","","" "Zack","Zimbra","","",""," zzimbra@someotherdomainz.com","555 N. 310th Ave Phoenix, AZ","","","","","","","602-555-9090","","","","","","" ,"","","","","","","","","" Reference(s): ../mail.htm ../index.txt ../Contacts.csv ../aufgabeerinnerung-ort.htm ../adi1-contact.htm Security Risk: ============== The security risk of the persistent input validation vulnerabilities are estimated as high(-). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [Rem0ve] (bkm@vulnerability-lab.com) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory