Hi folks,
A zero day exploit for Zimbra was released on Friday. I
found out about it late last night and spent the night trying
to come up with a temporary workaround. The details of the
exploit are here:
http://www.exploit-db.com/exploits/30085/ .
Basically anyone, through a simple URL, can gain access to
your site's localconfig.xml file which has all your Zimbra
system passwords. From there they can create an admin-level
account and, if port 7071 is exposed, login to the admin
console.
My workaround involves adding a rewrite rule to nginx to
look for localconfig being passed in as an argument and block
it. To implement, in /opt/zimbra/conf/nginx/templates, edit
nginx.conf.web.http.default.template and
nginx.conf.web.https.default.template and insert this inside
the 'location' block before the 'include' statement:
if
($args ~ skin=.*localconfig) {
rewrite ^/.* / redirect;
}
This is a brute force rewrite and will actually create a
redirect loop because it doesn't actually replace the args
upon doing the redirect, so the URL will still match. If
you're more well versed in nginx config than I am, feel free
to refine it.
Unfortunately this workaround won't work for a
single-server install that's not using the zimbra-proxy
package. I've been messing around trying to add a rewrite rule
to jetty.xml.in but that doesn't appear to work as the rewrite
rule can't see the arguments - only the URL after the
arguments have been stripped off. My only other alternative is
to install and configure the proxy package on the existing
server (which involves messing with SSL certs and such)
I will keep playing, but if anyone has any suggestions for
non-proxy Zimbra installs, I'd love to hear them.
--
Steve Hillman IT Architect
hillman@sfu.ca Institutional, Collaborative, &
Academic Technologies (ICAT)
778-782-3960 Simon Fraser University