Hello Xueshan,
On Dec 9, 2013, at 2:25 AM, Xueshan Feng <sfeng@stanford.edu> wrote:
>
> Steve,
>
> Shouldn't 7071 only open to some internal network/bastion host? The quick fix probably is to tighten up the port 7071 access.
>
Agreed, but that doesn’t mean I want mysql/ldap passwords floating around on the internet.
[snipped]
>
> So the request was rejected. What version of ZCS are affected by this?
Worked on our 7.2.1 installation.
Thanks,
Will
>
> Xueshan
>
> ----- Original Message -----
>> Hi folks,
>> A zero day exploit for Zimbra was released on Friday. I found out about it
>> late last night and spent the night trying to come up with a temporary
>> workaround. The details of the exploit are here:
>> http://www.exploit-db.com/exploits/30085/ . Basically anyone, through a
>> simple URL, can gain access to your site's localconfig.xml file which has
>> all your Zimbra system passwords. From there they can create an admin-level
>> account and, if port 7071 is exposed, login to the admin console.
>>
>>
>> My workaround involves adding a rewrite rule to nginx to look for localconfig
>> being passed in as an argument and block it. To implement, in
>> /opt/zimbra/conf/nginx/templates, edit nginx.conf.web.http.default.template
>> and nginx.conf.web.https.default.template and insert this inside the
>> 'location' block before the 'include' statement:
>>
>>
>>
>> if ($args ~ skin=.*localconfig) {
>> rewrite ^/.* / redirect;
>> }
>>
>>
>> This is a brute force rewrite and will actually create a redirect loop
>> because it doesn't actually replace the args upon doing the redirect, so the
>> URL will still match. If you're more well versed in nginx config than I am,
>> feel free to refine it.
>>
>>
>> Unfortunately this workaround won't work for a single-server install that's
>> not using the zimbra-proxy package. I've been messing around trying to add a
>> rewrite rule to jetty.xml.in but that doesn't appear to work as the rewrite
>> rule can't see the arguments - only the URL after the arguments have been
>> stripped off. My only other alternative is to install and configure the
>> proxy package on the existing server (which involves messing with SSL certs
>> and such)
>>
>>
>> I will keep playing, but if anyone has any suggestions for non-proxy Zimbra
>> installs, I'd love to hear them.
>>
>> --
>>
>> Steve Hillman IT Architect
>> hillman@sfu.ca Institutional, Collaborative, & Academic Technologies (ICAT)
>> 778-782-3960 Simon Fraser University
>>
>>
>
> --
>
> Xueshan Feng <sfeng@stanford.edu>
> Technical Lead, IT Services, Stanford University
>
>
—
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration
American University of Sharjah
Tel +971 6 515 2124
Mob +971 50 737 1599
Fax +971 6 515 2120
PO Box 26666, Sharjah
United Arab Emirates
http://www.aus.edu
wfroning@aus.edu
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail