Application Error Messages

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
edisu
Posts: 8
Joined: Fri May 01, 2020 3:25 am

Application Error Messages

Postby edisu » Mon Aug 10, 2020 7:28 am

Hi, we have zimbra network edition Patch 11 multi-node environment. We conduct some Vulnerability Assessment and Penetration Testing (VAPT) using the tool Acunetix. Based on the result of VAPT an Application Error Message found. Can someone help me how to mitigate or how to fix this vulnerable. Is this a really vulnerability or is this a false positive? Below are the details of the result.

Affected items Variation
/zimbraAdmin/js/XForms_all.js.zgz
/zimbraAdmin/js/Zimbra_all.js.zgz
/zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz


Description
This alert requires manual confirmation

Application error or warning messages may expose sensitive information about an application's internal workings to an
attacker.

Acunetix found an error or warning message that may disclose sensitive information. The message may also contain the
location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the
affected page.

Impact
Error messages may disclose sensitive information which can be used to escalate attacks.

Recommendation
Verify that this page is disclosing error or warning messages and properly configure the application to log errors to a file
instead of displaying the error to the user.

References
PHP Runtime Configuration (https://www.php.net/manual/en/errorfunc ... lay-errors)
Improper Error Handling (https://www.owasp.org/index.php/Improper_Error_Handling).

Affected items
/zimbraAdmin/js/XForms_all.js.zgz

Details

Code: Select all

URL encoded GET input v was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'ð¡
Pattern found:
at org.eclipse.jetty.server.Request.getParameters(Request.java:406)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1036)
at com.zimbra.webClient.filters.SetHeaderFilter.setCacheControlHeaders(SetHeaderF
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:294
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:58)
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:248
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(Contex
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:116)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:482)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:297)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:16
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:12
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandle
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.ja
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:33
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:83)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.Server.handle(Server.java:505)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnect
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnect
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.j
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKil
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(Reserv
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:69
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.jav


Request headers

Code: Select all

GET /zimbraAdmin/js/XForms_all.js.zgz?v=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27' HTTP/1.1
Referer: https://172.16.1.40:7071/zimbraAdmin/
Cookie:
ZA_SKIN=serenity;ZA_SKIN=serenity,ZA_TEST=true;ZA_TEST=true;ZA_TEST=true;ZM_TEST=true;ZM_
LOGIN_CSRF=4dbb2688-0ae4-48e5-b5c2-37199abe03f0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: 172.16.1.40:7071
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive


/zimbraAdmin/js/Zimbra_all.js.zgz
Details

Code: Select all

URL encoded GET input v was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'ð¡
Pattern found:
at org.eclipse.jetty.server.Request.getParameters(Request.java:406)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1036)
at com.zimbra.webClient.filters.SetHeaderFilter.setCacheControlHeaders(SetHeaderF
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:294
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:58)
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:248
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(Contex
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:116)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:482)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:297)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:16
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:12
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandle
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.ja
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:33
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:83)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.Server.handle(Server.java:505)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnect
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnect
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.j
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKil
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(Reserv
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:69
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.jav


Request headers

Code: Select all

GET /zimbraAdmin/js/Zimbra_all.js.zgz?v=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27' HTTP/1.1
Referer: https://172.16.1.40:7071/zimbraAdmin/
Cookie:
ZA_SKIN=serenity;ZA_SKIN=serenity,ZA_TEST=true;ZA_TEST=true;ZA_TEST=true;ZM_TEST=true;ZM_
LOGIN_CSRF=4dbb2688-0ae4-48e5-b5c2-37199abe03f0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: 172.16.1.40:7071
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive


/zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz
Details

Code: Select all

URL encoded GET input debug was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'ð¡
Pattern found:
at org.eclipse.jetty.server.Request.getParameters(Request.java:406)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1036)
at com.zimbra.webClient.filters.SetHeaderFilter.setCacheControlHeaders(SetHeaderF
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:294
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:58)
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:248
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(Contex
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:116)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:482)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:297)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:16
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:12
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandle
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.ja
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:33
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:83)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.Server.handle(Server.java:505)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnect
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnect
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.j
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKil
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(Reserv
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:69
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.jav


Request headers

Code: Select all

GET /zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz?
debug=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27' &skin=serenity&v=200102011255 HTTP/1.1
Referer: https://172.16.1.40:7071/zimbraAdmin/
Cookie:
ZA_SKIN=serenity;ZA_SKIN=serenity;ZA_TEST=true;ZA_TEST=true;ZM_TEST=true;ZM_LOGIN_CSRF=4d
bb2688-0ae4-48e5-b5c2-37199abe03f0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: 172.16.1.40:7071
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive


/zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz
Details

Code: Select all

URL encoded GET input skin was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'ð¡
Pattern found:
at org.eclipse.jetty.server.Request.getParameters(Request.java:406)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1036)
at com.zimbra.webClient.filters.SetHeaderFilter.setCacheControlHeaders(SetHeaderF
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:294
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:58)
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:248
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(Contex
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:116)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:482)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:297)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:16
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:12
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandle
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.ja
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:33
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:614)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:83)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.Server.handleAsync(Server.java:550)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:394)
at org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:311)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:69
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.jav


Request headers

Code: Select all

GET /zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz?
debug=false&skin=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27' &v=200102011255 HTTP/1.1
Referer: https://172.16.1.40:7071/zimbraAdmin/
Cookie:
ZA_SKIN=serenity;ZA_SKIN=serenity;ZA_TEST=true;ZA_TEST=true;ZM_TEST=true;ZM_LOGIN_CSRF=4d
bb2688-0ae4-48e5-b5c2-37199abe03f0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: 172.16.1.40:7071
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive


/zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz
Details

Code: Select all

URL encoded GET input v was set to 12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'ð¡
Pattern found:
at org.eclipse.jetty.server.Request.getParameters(Request.java:406)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1036)
at com.zimbra.webClient.filters.SetHeaderFilter.setCacheControlHeaders(SetHeaderF
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:294
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:58)
at com.zimbra.webClient.filters.SetHeaderFilter.doFilter(SetHeaderFilter.java:248
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(Contex
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:116)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:482)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:297)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.j
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:2
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:16
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:20
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:12
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandle
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.ja
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:33
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:83)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132
at org.eclipse.jetty.server.Server.handle(Server.java:505)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnect
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnect
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.j
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKil
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(Reserv
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:69
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.jav


Request headers

Code: Select all

GET /zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz?
debug=false&skin=serenity&v=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27' HTTP/1.1
Referer: https://172.16.1.40:7071/zimbraAdmin/
Cookie:
ZA_SKIN=serenity;ZA_SKIN=serenity;ZA_TEST=true;ZA_TEST=true;ZM_TEST=true;ZM_LOGIN_CSRF=4d
bb2688-0ae4-48e5-b5c2-37199abe03f0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: 172.16.1.40:7071
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive


phoenix
Ambassador
Ambassador
Posts: 26682
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Application Error Messages

Postby phoenix » Mon Aug 10, 2020 9:00 am

edisu wrote:Hi, we have zimbra network edition Patch 11 multi-node environment.
That doesn't tell us anything about your ZCS version and you should always post the full output of the following command:

Code: Select all

zmcontrol -v
As you're an NE user I'd suggest you open a support case about this 'problem'.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
edisu
Posts: 8
Joined: Fri May 01, 2020 3:25 am

Re: Application Error Messages

Postby edisu » Mon Aug 10, 2020 12:13 pm

Sorry i forgot to include, here's the version of our zimbra server

Code: Select all

[zimbra@mailbox2 ~]$ zmcontrol -v
Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 NETWORK edition, Patch 8.8.15_P11.

Return to “Administrators”

Who is online

Users browsing this forum: Alexa [Bot], Bing [Bot], virtarch and 15 guests