[Users] Another XSS issue / ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

Barry de Graaff info at barrydegraaff.tk
Wed Jan 17 09:33:07 CET 2018

Hash: SHA256

Hello All,

As a follow up for the mails from David last week, I looked into:
ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

It looks like a patch for 8.0 to 8.5 is available here:

The upstream is here, as Malte found:

This is probably exploitable via the URL Zimlet, we did see some updates of
that some time ago. But I cannot find those change back in Github, so maybe there
is some history missing? https://github.com/Zimbra/zm-zimlets/commits/develop/src/zimlet/com_zimbra_url

8.6.0 Patch-8 has been issued on 2 February 2017, nothing in Github.
The config_template.xml for url zimlet in the patch is the same one as
in wolfyzvf/Zimbra-Collaboration-CWE-79.

So I am thinking installing patch installing patch 8 on 8.6 or update url zimlet
would fix CWE-79 (with the limited info available).

About the underlaying code:
It looks like ZmMailMsgView.prototype._renderMessageBody1 has been re-done since
8.6. In 8.6 the code looks like:

					if (appCtxt.get(ZmSetting.VIEW_AS_HTML)) {
					} else {
						// bug fix #31840 - convert HTML to text
						var div = document.createElement("div");
						div.innerHTML = content;
						var convert = AjxStringUtil.convertHtml2Text(div);

						html.push(hasHtmlPart ? "<pre>" : "");
						html.push(hasHtmlPart ? "</pre>" : "");

And the patch in 92d2886277e7d8d4f4835a26355fa93dfebc5504:

         else if (isHtml) {
             if (htmlMode) {
                 // fix broken inline images - take one like this: <img dfsrc="http:...part=1.2.2">
                 // and make it look like this: <img dfsrc="cid:DWT123"> by looking up the cid for that part
                 if (msg._attachments && ZmMailMsgView.IMG_FIX_RE.test(content)) {
                     var partToCid = {};
                     for (var j = 0; j < msg._attachments.length; j++) {
                         var att = msg._attachments[j];
                         if (att.contentId) {
                             partToCid[att.part] = att.contentId.substring(1, att.contentId.length - 1);
                     content = content.replace(ZmMailMsgView.IMG_FIX_RE, function(s, p1, p2, p3) {
                         return partToCid[p2] ? [ p1, '"cid:', partToCid[p2], '"', p3 ].join("") : s;
             else {
                 // this can happen if a message only has an HTML part and the user wants to view mail as text
 - -                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
+                content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"

So it seems the problem there was a missing AjxStringUtil.htmlEncode, but that was there on 8.6. So perhaps 8.6 is not vulnerable.

It would like to see what the exploit was exactly. But I do not think CWE-79 is a problem on 8.6 atm.

Kind regards,

Barry de Graaff
Zeta Alliance
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

+31 617 220 227 | skype: barrydegraaff.tk
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
Version: OpenPGP.js v2.5.12
Comment: https://openpgpjs.org


More information about the Users mailing list