OWASP P13 and P4 removing css display attribute

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 478
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: OWASP P13 and P4 removing css display attribute

Postby JDunphy » Thu Jul 18, 2019 8:47 pm

Hi Mark,

Curiosity got the better of me and we are testing this right now. Preheaders are cooked and a nit (don't care as much) but some email can still do preview headers by turning off line height, max width, opacity zero, etc, etc vs display:none which no longer works with P13/P4.

Costco and Walmart emails don't display properly with random images overlaying/floating on top of other images. Pretty much what we expected. So any email with lots of images could be a problem. If it is one image after another then it should be fine and I doubt anyone would notice or care... Washington Post appears to be fine as a result. Best Buy renders like it is 1997. We laughed out loud when we saw that one.

I switched it off the test machine and we retested the same emails:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart


Everything looks great again.

If it was ugly that would be one thing but when you can't read the email that could be a show stopper.

It's a tough call. Certainly fixing the inline images in signatures is a strong reason to apply the patch if you have owasp enabled.

Jim


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 478
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: OWASP P13 and P4 removing css display attribute

Postby JDunphy » Tue Jul 23, 2019 7:27 pm

FYI,

I just saw this in 8.8.15 release notes: fixed: "CSRF through local post embedded in Mail Message" ... which makes me think the issue is obfuscation and tricking the user into clicking on a local link which could be really bad because they are authenticated. Is there another pathway to that SSRF or XSS attack we all saw in April from here?

Ref: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

The release notes: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15 quietly walks away from the css display issue. We don't know if they have removed that capability completely going forward or they have fixed the issue. Root cause seems to be the trust they have established to support the admin API but that is speculation on my part.

These are interesting times for sure!
kdbruyne10
Posts: 2
Joined: Fri Aug 23, 2019 10:35 am

Re: OWASP P13 and P4 removing css display attribute

Postby kdbruyne10 » Mon Sep 09, 2019 6:26 am

JDunphy wrote:Hi Mark,

Curiosity got the better of me and we are testing this right now. Preheaders are cooked and a nit (don't care as much) but some email can still do preview headers by turning off line height, max width, opacity zero, etc, etc vs display:none which no longer works with P13/P4.

Costco and Walmart paystub emails don't display properly with random images overlaying/floating on top of other images. Pretty much what we expected. So any email with lots of images could be a problem. If it is one image after another then it should be fine and I doubt anyone would notice or care... Washington Post appears to be fine as a result. Best Buy renders like it is 1997. We laughed out loud when we saw that one.

I switched it off the test machine and we retested the same emails:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart


Everything looks great again.

If it was ugly that would be one thing but when you can't read the email that could be a show stopper.

It's a tough call. Certainly fixing the inline images in signatures is a strong reason to apply the patch if you have owasp enabled.

Jim

Thank you so much for writing it clearly

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 3 guests