Hello Steve, BIG THANKS. Just put this in place and it seems to be working well enough until I can look at it again in the morning. Thanks, Will On Dec 9, 2013, at 1:28 AM, Steve Hillman <hillman@sfu.ca> wrote: > Hi folks, > A zero day exploit for Zimbra was released on Friday. I found out about it late last night and spent the night trying to come up with a temporary workaround. The details of the exploit are here: http://www.exploit-db.com/exploits/30085/ . Basically anyone, through a simple URL, can gain access to your site's localconfig.xml file which has all your Zimbra system passwords. From there they can create an admin-level account and, if port 7071 is exposed, login to the admin console. > > My workaround involves adding a rewrite rule to nginx to look for localconfig being passed in as an argument and block it. To implement, in /opt/zimbra/conf/nginx/templates, edit nginx.conf.web.http.default.template and nginx.conf.web.https.default.template and insert this inside the 'location' block before the 'include' statement: > > if ($args ~ skin=.*localconfig) { > rewrite ^/.* / redirect; > } > > This is a brute force rewrite and will actually create a redirect loop because it doesn't actually replace the args upon doing the redirect, so the URL will still match. If you're more well versed in nginx config than I am, feel free to refine it. > > Unfortunately this workaround won't work for a single-server install that's not using the zimbra-proxy package. I've been messing around trying to add a rewrite rule to jetty.xml.in but that doesn't appear to work as the rewrite rule can't see the arguments - only the URL after the arguments have been stripped off. My only other alternative is to install and configure the proxy package on the existing server (which involves messing with SSL certs and such) > > I will keep playing, but if anyone has any suggestions for non-proxy Zimbra installs, I'd love to hear them. > > -- > Steve Hillman IT Architect > hillman@sfu.ca Institutional, Collaborative, & Academic Technologies (ICAT) > 778-782-3960 Simon Fraser University — Will Froning Information Security Manager Office of the Vice Chancellor for Finance and Administration American University of Sharjah Tel +971 6 515 2124 Mob +971 50 737 1599 Fax +971 6 515 2120 PO Box 26666, Sharjah United Arab Emirates http://www.aus.edu wfroning@aus.edu
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail