[Users] Another XSS issue

[Barry de Graaff]

Hello Malte,

Tomorrow I will dig a bit deeper and hope to roll out a patch for
the issues in the github commits below.

Could you please see in the Github if there are other commits
that are relevant for patching in 8.6, that are not yet in the
latest patch for 8.6.

Then I will look as well, and hopefully we can find and patch them all
this way, untill an official patch comes out.

I am asking you, cause you are more familiar with the codebase than
me, I don't want to overlook things.

Thanks!

Kind regards, 

Barry de Graaff
Zeta Alliance 
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

+31 617 220 227 | skype: barrydegraaff.tk
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "Malte S. Stretz" <mss at msquadrat.de>
To: "David Touitou" <david at network-studio.com>, users at lists.zetalliance.org
Sent: Friday, January 12, 2018 1:11:36 PM
Subject: Re: [Users] Another XSS issue

Hi David,


On 12.01.2018 10:44, David Touitou wrote:
> I got a mail in the bugtraq mailing list about another XSS discovered.
> And fixed for 8.8+ versions of ZCS.
>
> However, nothing for 8.6.
> Nothing for that XSS and all the XSS discovered since 2016.
> https://forums.zimbra.org/viewtopic.php?f=13&t=63390
>
> Does anyone here know if all these XSS are only issues with 8.7+ code base?
> Or did they (synacor) just "forgot" to provide patch for 8.6?

I'm pretty sure 8.6 is affected as well though I didn't look since I am 
frustrated enough that 8.7 doesn't get any proper fixes.

It should be easy to verify, just have a look at the JavaScript code for 
the affected code. These are the last two XSS issues fixed:
* 
https://github.com/Zimbra/zm-web-client/commit/8c646be0322c0ab6858652c184133b924b915d68
* 
https://github.com/Zimbra/zm-web-client/commit/92d2886277e7d8d4f4835a26355fa93dfebc5504

I sometimes wonder how Synacor themselves manage to run an 8.7.0 (!) on 
mail.zimbra.com…

Cheers,
Malte