188BET×ãÇò

Summary

Recently released . It fixed 2 Cross-Site Scripting (XSS) vulnerabilities which were discovered and reported by security researcher of 188BET×ãÇò's FortiGuard labs in October 2015. CVE-2015-7609 was assigned to identify these 2 XSS vulnerabilities. One of them is caused due to insufficiently sanitizing the content of email message body. It allows remote attackers to launch XSS attack against Zimbra Collaboration users by simply sending a specially-crafted email. In this blog, we want to elaborate this vulnerability.

Proof of Concept

To reproduce this vulnerability, we can use any email service to create an email message containing the following content and send it to a Zimbra Collaboration user.

Normally Zimbra Collaboration sanitizes email message body by quoting dangerous HTML symbols like double quotes, less than sign, greater than sign, opening parenthesis, closing parenthesis, etc. As we can see in following figure 1, extra double quotes is inserted.

Figure 1. Normal Sanitization

But, when we send an email message containing the above proof of concept, the sanitization function for dangerous HTML symbols doesn't work properly. See the following figure 2.

Figure 2. Code Is Inserted

When the Zimbra Collaboration user opens this email message, the injected code is automatically executed. See the following figure 3.

Figure 3. Inserted Code Is Executed

Actually attackers can send an email message containing any malicious code to victims. When any victim views this email message, the injected code will be automatically executed within the security context of the victim. In the attack scenario shown in figure 4, a dialog is popped up for password to log into the victim’s account. 

Figure 4. An Attack Scenario

If the victim inputs his/her password, the password will be got by the attacker. Watch following video for the attack demonstration.

Analysis

In the figure 2, we can see the source code of the specially-crafted email message. The proof of concept is included in a hyperlink defined by tag <a>. Zimbra Collaboration treats the “////” as a file link but doesn’t correctly handle the HTML symbol ‘’’ following it, which results in the injected code is executed as shown in the figure 3.

Malicious users could exploit this XSS vulnerability to

1. Steal victims’ sensitive information like cookies, session tokens.
2. Redirect victims’ to malicious websites.
3. Generate a fake web page or dialog which asks for users’ sensitive information like their credentials.

As a result, an attacker could compromise other user’s account. If the account has high-level privileges, the attacker may gain complete control of the whole Zimbra Collaboration system. 

Mitigation

Zimbra Collaboration 8.6 Patch 4 and before should upgrade to the latest version of Zimbra Collaboration as soon as possible.

Networks and users who have deployed 188BET×ãÇò IPS have automatically been protected from this vulnerability by IPS Signature: Zimbra.Email.Body.XSS since the vulnerability was reported to the vendor.

Thanks to 188BET×ãÇò’s FortiGuard Labs for discovering this vulnerability.