[Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]
Barry de Graaff
info at barrydegraaff.tk
Wed Jan 17 09:33:07 CET 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello All,
As a follow up for the mails from David last week, I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]
It looks like a patch for 8.0 to 8.5 is available here:
https://github.com/wolfyzvf/Zimbra-Collaboration-CWE-79
The upstream is here, as Malte found:
https://github.com/Zimbra/zm-web-client/commit/92d2886277e7d8d4f4835a26355fa93dfebc5504
This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/commits/develop/src/zimlet/com_zimbra_url
8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.
So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).
About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:
if (appCtxt.get(ZmSetting.VIEW_AS_HTML)) {
html.push(content);
} else {
// bug fix #31840 - convert HTML to text
var div = document.createElement("div");
div.innerHTML = content;
var convert = AjxStringUtil.convertHtml2Text(div);
html.push(hasHtmlPart ? "<pre>" : "");
html.push(AjxStringUtil.htmlEncode(convert));
html.push(hasHtmlPart ? "</pre>" : "");
}
And the patch in 92d2886277e7d8d4f4835a26355fa93dfebc5504:
else if (isHtml) {
if (htmlMode) {
// fix broken inline images - take one like this: <img dfsrc="http:...part=1.2.2">
// and make it look like this: <img dfsrc="cid:DWT123"> by looking up the cid for that part
if (msg._attachments && ZmMailMsgView.IMG_FIX_RE.test(content)) {
var partToCid = {};
for (var j = 0; j < msg._attachments.length; j++) {
var att = msg._attachments[j];
if (att.contentId) {
partToCid[att.part] = att.contentId.substring(1, att.contentId.length - 1);
}
}
content = content.replace(ZmMailMsgView.IMG_FIX_RE, function(s, p1, p2, p3) {
return partToCid[p2] ? [ p1, '"cid:', partToCid[p2], '"', p3 ].join("") : s;
});
}
}
else {
// this can happen if a message only has an HTML part and the user wants to view mail as text
- - content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
+ content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"
}
So it seems the problem there was a missing AjxStringUtil.htmlEncode, but that was there on 8.6. So perhaps 8.6 is not vulnerable.
It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.
Kind regards,
Barry de Graaff
Zeta Alliance
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community
+31 617 220 227 | skype: barrydegraaff.tk
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v2.5.12
Comment: https://openpgpjs.org
wkYEAREIABAFAlpfCkMJEHJd3RVtNqLQAADwXwCeJd7ZT8xWBMdw27o9OC8Q
AWh4O2UAn1w82KgyPiHsPi5Px1NDwyzMd+5b
=r7yB
-----END PGP SIGNATURE-----
More information about the Users
mailing list