7-1-09 security patch
I would like to disclose a vulnerability I discovered in Zimbra which needs to be patched urgently.
4.5, 5.0.16GA and 6 Beta 2 are all affected.
The initial response from email@example.com has been unhelpful and I do not want to report this on your public bugtracker.
Please contact me at hubert at itsecurity.net
I commend you for trying to handle this in a responsible manner.
I have done some more research on this with a colleague and the issue is highly critical.
If you have Zimbra HTTP(S) and SSH exposed to the internet, your installation can be compromised.
As a workaround I would highly recommend firewalling remote access to the SSH port, although this does not fully address the issue.
Still waiting to be contacted by Zimbra...
I have moderated this post until one of the employees respond; this is for the safety on the community.
I'm trying to get the details offline.
Originally Posted by uxbod
dont open..is this for real?
itsecurity.net doesn't resolve. It is the MX record for the domain, so if he's expecting someone to email him, he's not going to get it.
My domain should be working again now (it has nothing about this bug on it at this time).
Yes it's real, Zimbra have confirmed the issues and are working on a patch.
I'm re moderating this post. We have been in contact with the reporter, and are actively investigating and patching the issue.
Once we announce it, this thread will be republished.
I received email apparently from firstname.lastname@example.org indicating that all current versions of Zimbra have a security vulnerability. The email had instructions and a download link for a patch. Problem is, the email was sent through a mailing list company and I can't verify that Zimbra sent it. Second, there is no reference (that I can find) in the forums or web site about this.
There is no way I'm installing this without something on the web site.
Is this a forgery or does Zimbra not have a clue how to alert their users?