Recently Zimbra released Zimbra Collaboration 8.6 Patch 5. It fixed 2 Cross-Site Scripting (XSS) vulnerabilities which were discovered and reported by security researcher of Fortinet's FortiGuard labs in October 2015. CVE-2015-7609 was assigned to identify these 2 XSS vulnerabilities. One of them is caused due to insufficiently sanitizing the content of email message body. It allows remote attackers to launch XSS attack against Zimbra Collaboration users by simply sending a specially-crafted email. In this blog, we want to elaborate this vulnerability.
Proof of Concept
To reproduce this vulnerability, we can use any email service to create an email message containing the following content and send it to a Zimbra Collaboration user.
Normally Zimbra Collaboration sanitizes email message body by quoting dangerous HTML symbols like double quotes, less than sign, greater than sign, opening parenthesis, closing parenthesis, etc. As we can see in following figure 1, extra double quotes is inserted.
Figure 1. Normal Sanitization
But, when we send an email message containing the above proof of concept, the sanitization function for dangerous HTML symbols doesn't work properly. See the following figure 2.
Figure 2. Code Is Inserted
When the Zimbra Collaboration user opens this email message, the injected code is automatically executed. See the following figure 3.
Figure 3. Inserted Code Is Executed
Actually attackers can send an email message containing any malicious code to victims. When any victim views this email message, the injected code will be automatically executed within the security context of the victim. In the attack scenario shown in figure 4, a dialog is popped up for password to log into the victim’s account.
Figure 4. An Attack Scenario
If the victim inputs his/her password, the password will be got by the attacker. Watch following video for the attack demonstration.
In the figure 2, we can see the source code of the specially-crafted email message. The proof of concept is included in a hyperlink defined by tag <a>. Zimbra Collaboration treats the “////” as a file link but doesn’t correctly handle the HTML symbol ‘’’ following it, which results in the injected code is executed as shown in the figure 3.
Malicious users could exploit this XSS vulnerability to
Steal victims’ sensitive information like cookies, session tokens.
Redirect victims’ to malicious websites.
Generate a fake web page or dialog which asks for users’ sensitive information like their credentials.
As a result, an attacker could compromise other user’s account. If the account has high-level privileges, the attacker may gain complete control of the whole Zimbra Collaboration system.
Zimbra Collaboration 8.6 Patch 4 and before should upgrade to the latest version of Zimbra Collaboration as soon as possible.
Networks and users who have deployed Fortinet IPS have automatically been protected from this vulnerability by IPS Signature: Zimbra.Email.Body.XSS since the vulnerability was reported to the vendor.
Thanks to Fortinet’s FortiGuard Labs for discovering this vulnerability.