<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'>  Hello,<br><br> as it seems that the script is very old, I would advice to upgrade it by using Bash best practises, even if it is KSH which is call.<br>Command like :<br>this command_1=`hostname -f`<br>for example has to be changed into <br>command_1=$(hostname -f)<br>same thing with variable :<br>VAR_1=bob<br>should be used like this :<br>${VAR_1}<br>and some people use over quote technic too.<br><br>  Regards,<br><br><br><div><span name="x"></span>  ___________________________________<br> /                                   \<br>/-------------------------------------\<br>|  Guy CARRÉ                          |<br>|  *************                      |<br>|  PostMaster - WikiMaster - SysAdmin |<br>|                                     |<br>| "Free Your Mind. Think Open Source" |<br>|  april.org                          |<br>|                                     |<br>|_____________________________________|<span name="x"></span><br></div><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>De: </b>"Keith McDermott" <keithmcd@purdue.edu><br><b>À: </b>"Barry De Graaff" <barrydg@zetalliance.org>, users@lists.zetalliance.org, devel@lists.zetalliance.org<br><b>Envoyé: </b>Mardi 7 Juin 2016 14:32:39<br><b>Objet: </b>Re: [Users] checkhack-zimbra-preferences shell escape issues<br><br>
  
    
  
  
    <p>Hi Barry,</p>
    <p>I can't remember if it was noted on Git or not, but this was
      written for ZCS6.  We never had issues like this happen in our
      usage of the script for the past 5-6 years.  There would be an odd
      thing very rarely that would cause key/pairs to get messed up, but
      it always created one file per user.</p>
    <p>Perhaps something's changed in some of the commands that are
      being ran since ZCS6?</p>
    <p>Files should be created such as:</p>
    <p>/tmp/zimbra-preferences-scores/2016-06-16/keithmcd</p>
    <p>-keith<br>
    </p>
    <p><br>
    </p>
    <pre class="moz-signature">Keith McDermott
Messaging Systems Administrator
ITIS, ITaP
Purdue University

E-mail: <a class="moz-txt-link-abbreviated" href="mailto:keithmcd@purdue.edu" target="_blank">keithmcd@purdue.edu</a>
Address:155 S. Grant Street
        West Lafayette, IN 47907
        
"The road to wisdom, well, it's plain and simple to express,
 Err and err and err again, but less and less and less."
 - Piet Hein</pre>
    <div class="moz-cite-prefix">On 6/7/16 00:49, Barry De Graaff wrote:<br>
    </div>
    <blockquote cite="mid:1816270194.23544.1465274950038.JavaMail.zimbra@zetalliance.org">
      <pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello All,

I looked into checkhack-zimbra-preferences, it seems like writing it took a lot of time, and
it is a great effort.

However, I was able to crash the script by adding a plain-text signature for a user (see attached).
The script would then try to create arbitrary files on the server file system. That does suggest
shell escaping is not being done properly by this script.

[root@myzimbra ~]#  /usr/local/sbin/checkhack-zimbra-preferences.sh
/tmp/zimbra-preferences-scores/2016-06-06/admin
/tmp/zimbra-preferences-scores/2016-06-06/if
/tmp/zimbra-preferences-scores/2016-06-06/zimbrapreffromaddress
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefidentityname
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)if
/usr/local/sbin/checkhack-zimbra-preferences.sh[420]: /tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)if: cannot create [File name too long]
/tmp/zimbra-preferences-scores/2016-06-06/zimbrasignaturename


[root@myzimbra ~]# ls --full-time /tmp/zimbra-preferences-scores/2016-06-06/
total 20
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.137399697 +0200 admin
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.145399735 +0200 if
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.152399768 +0200 zimbrapreffromaddress
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.162399815 +0200 zimbraprefidentityname
 - -rw-------. 1 root root 2 2016-06-06 21:19:12.172399863 +0200 zimbrasignaturename


Means, it tried to create a file with name:
/tmp/zimbra-preferences-scores/2016-06-06/zimbraprefmailforwardingaddress:*|zimbraprefmaillocaldeliverydisabled:*|zimbraprefsavetosent:*|zimbrasignaturename:*|zimbraprefmailsignature:*|zimbraprefmailsignaturehtml:*|zimbraprefidentityname:*|zimbrapreffromdisplay:*|zimbrapreffromaddress:*|zimbraprefreplytodisplay:*|zimbraprefreplytoaddress:*)if

This is potentially unsafe, I would require me to rewrite the script to make sure it escapes
all user input. Considering this is a script to prevent hackers and spammer from abusing
services, I do not think I can use it, as is.

See: <a class="moz-txt-link-freetext" href="https://github.com/Zimbra-Community/zimbra-tools/blob/master/checkhack-zimbra-preferences" target="_blank">https://github.com/Zimbra-Community/zimbra-tools/blob/master/checkhack-zimbra-preferences</a>

Kind regards,

Barry de Graaff
Zeta Alliance Founder
<a class="moz-txt-link-abbreviated" href="http://www.zetalliance.org" target="_blank">www.zetalliance.org</a>

Skype: barrydegraaff.tk
Fingerprint: 9e0e165f06b365ee1e47683e20f37303c20703f8
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v2.3.0
Comment: <a class="moz-txt-link-freetext" href="http://openpgpjs.org" target="_blank">http://openpgpjs.org</a>

wsFcBAEBCAAQBQJXVlI7CRAg83MDwgcD+AAA3sYP/39cS834bckQ6FPHnqeW
edqoURVfuVHqH4TbMIOTg0hkiBp1bKBvv30XF9ObxBUsK8+MhAuj0EeTMeYN
RGuHC3hRX7e9F1miogAVGEHjkfUws3JqZB9FuPquOtCEPsbgMaRlrHeSD62K
9JynIoOG65jdM7FEpJpnjB/iOAfClAxcx1LIT8JkeHiDGVC6BnDeQINnLR0G
O7P+xyoYoCmJdJPNtFkaZiEhUBmd/TAM+Q39ImVXQmvpK7gpYpMgLJ+iCnVj
GvsKi67ntKN4dETFdldZ0mIWp6To/iORZ7Cnz0Lw3fngDJHXPyzctJV2djtf
ET1YeobvM95yniS3qKdT+sbmZs4jfZA75mOuTJXDP1nYEnO01Dchw+HE2UQN
LiK0bKkFXpCf+lPRfAqff6RW5MWwgEsG16Sy5xNk9pRhNw5FWrw9vknvQmpA
4feH2fcrq7Y8ePIDcsmDN31vYrNl2xMF3Qf0294V4EMdUWCSsbIQlHnFvzQL
hcpBNh1rTwsBi38qBgChYIi75B7VLnWm90tnpvaVJBNydHykHZOXxYzlz4+O
VY8nCX5+H8VPHNdrCLnFjov+g6tMhIk/gDNMyNjaXqn8Yp9WpdXI2nfjakUv
9NvW1Kw96geE07yuK0wCmsib6xf+zcN3ZZTwGiYo1L1/obg0LslrxY9MELF9
kuKP
=yYN+
-----END PGP SIGNATURE-----
</pre>
    </blockquote>
    <br>
  

</div><br></div></body></html>