Page 1 of 4

CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Jan 12, 2018 9:40 am
by Klug
Hello all,

it's out in the bugtraq mailing list.
I don't know where to post it in the forum, so here it goes.

In the announcement mail, we learn that Zimbra/Synacor was notified last may.
We also learn any version before 8.8 beta 2 might be vulnerable.
We learn that the security fix was done on december 12 and guidances released to us (customers/users).

However...

There nothing here: https://wiki.zimbra.com/wiki/Security_Center
There is something here: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories (in other words, you have to check several wiki pages to find informations)
The bug (107925) is obviously private.
8.6 that is supposed to be under "Technical Guidance" and "General Support" doesn't get a patch (https://blog.zimbra.com/2017/08/zimbras ... ion-8-6-x/).

The last point is the most problematic to me.
On the wiki page (one of the "security pages", as there are several with different informations), we can find out about several security issues discovered since 2016 (mostly XSS).
8.6.0 doesn't get a single patch for them.
Are the issues related to 8.7+ only?

Can someone from Zimbra/Synacor make a clear statement on all this?

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Jan 12, 2018 12:51 pm
by Klug
Checked a little further (thanks to Malte), 8.6 is actually vulnerable (the bad code is in).

This is insane.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Wed Jan 17, 2018 8:16 am
by barrydegraaff
According to Malte Stretz: These are the last two XSS issues fixed:
https://github.com/Zimbra/zm-web-client ... 924b915d68
https://github.com/Zimbra/zm-web-client ... 3dfebc5504

I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

It looks like a patch for 8.0 to 8.5 is available here:
https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79

The upstream is here, as Malte found:
https://github.com/Zimbra/zm-web-client ... 3dfebc5504

This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/co ... zimbra_url

8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.

So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).


About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:

Code: Select all

                                        if (appCtxt.get(ZmSetting.VIEW_AS_HTML)) {
                                                html.push(content);
                                        } else {
                                                // bug fix #31840 - convert HTML to text
                                                var div = document.createElement("div");
                                                div.innerHTML = content;
                                                var convert = AjxStringUtil.convertHtml2Text(div);

                                                html.push(hasHtmlPart ? "<pre>" : "");
                                                html.push(AjxStringUtil.htmlEncode(convert));
                                                html.push(hasHtmlPart ? "</pre>" : "");
                                        }

And the patch in 92d2886277e7d8d4f4835a26355fa93dfebc5504:

Code: Select all

         else if (isHtml) {
             if (htmlMode) {
                 // fix broken inline images - take one like this: <img dfsrc="http:...part=1.2.2">
                 // and make it look like this: <img dfsrc="cid:DWT123"> by looking up the cid for that part
                 if (msg._attachments && ZmMailMsgView.IMG_FIX_RE.test(content)) {
                     var partToCid = {};
                     for (var j = 0; j < msg._attachments.length; j++) {
                         var att = msg._attachments[j];
                         if (att.contentId) {
                             partToCid[att.part] = att.contentId.substring(1, att.contentId.length - 1);
                         }
                     }
                     content = content.replace(ZmMailMsgView.IMG_FIX_RE, function(s, p1, p2, p3) {
                         return partToCid[p2] ? [ p1, '"cid:', partToCid[p2], '"', p3 ].join("") : s;
                     });
                 }
             }
             else {
                 // this can happen if a message only has an HTML part and the user wants to view mail as text
 - -                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
+                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"
             }


So it seems the problem there was a missing AjxStringUtil.htmlEncode, but that was there on 8.6. So perhaps 8.6 is not vulnerable.

It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Wed Jan 17, 2018 8:21 am
by barrydegraaff

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Wed Jan 17, 2018 8:25 am
by barrydegraaff
I think the real problem is the communication and lack of a security overview/summary page where all this stuff is documented.

Because even if stuff gets fixed, after some time, it is hard to understand what happened and when.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Wed Jan 17, 2018 9:12 am
by Klug
Barry, as I said on the Zeta-Users mailing-list, I'm not sure about 8.6P8 being vulnerable or not.
There are seven (7) different CWE-79 type for vulnerabilities discovered since last 8.6 patch, with different CVE numbers (so they're in different part of the code).

The patch (by Wolfy) you're talking about was including in 8.6P5.
But it fix only CVE-2015-7609.
It does not fix CVE-2016-3999, CVE-2016-5721, CVE-2017-7288, CVE-2017-8783, CVE-2017-8802, CVE-2017-17703 and the one without CVE-serial.

There are two different concerns.

One if the lack of communication: is 8.6P8 vulnerable or not?
Was all these vulnerabilities tested against 8.6P8 and what is the result?

The second one is "if 8.6P8 is vulnerable, where are the fixes/patches?".

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 23, 2018 8:04 am
by Klug
More than a week later, no news from Synacor, Zimbra France nor the PM...

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 23, 2018 9:42 am
by phoenix
Klug wrote:More than a week later, no news from Synacor, Zimbra France nor the PM...
I'm not surprised at the lack or response, are you? I think Zimbra has abandoned these forums. :(

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Wed Jan 24, 2018 9:30 am
by Klug
I'm not that surprised.

However, the PM is alive.
He reads/posts in this forum and elsewhere (blog post two days ago) so I thought maybe...

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Wed Jan 24, 2018 9:39 pm
by jorgedlcruz
Hi guys,
I will ask Engineering if they can help us to provide some clarity on the issue.

Thanks