Hello, all. We've just installed our first two Zimbra servers. We normally do a destructive and exhaustive vulnerability scan using openvas and place systems under HIDS with OSSEC before we put them into production. I was a bit surprised that openvas turned up a few worrisome bits. I see others have scanned with Nessus but I did not see these errors. Before we spend lots of time exploring if these are false positives (we are not really security experts), we thought we'd ask the list of they were familiar with these issues.
We show a security hole in postfix enabling a smad attack (DoS). Thankfully, we don't expose port 587 to the Internet but we are a multi-tenant site and could be attacked from the inside.
We also picked up a few warnings for cross site scripting. Most seem for for specific products which are not in Zimbra so I assume those are false positives but one seemed serious:
"The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused
in the request).
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
Sample url : http://zimbra.mycompany.com:80/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp"
Has anyone else seen and investigated these? Are they anything to worry about? Thanks - John