nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2010-004 - Zimbra search skin XSS
   Application: Zimbra
        Vendor: Zimbra
Vendor website: http://www.spiceworks.com
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
         Class: XSS
Authentication: Valid session required

  I. BACKGROUND
     Zimbra [1] is an open-source and commercial messaging and collaboration software
     suite.

 II. DETAILS
     A cross-site script (XSS) vulnerability exists within the classic Zimbra web
     interface. This vulnerability exists due to improper output encoding of the
     skin parameter.

     Example:
     http://example.com/zimbra/h/search?skin=--><script src=""></script><!--&
     mesg=welcome&initial=true&app=

     The vendor states that this vulnerability is addressed in version 5.0.20 and
     6.0.2. "The 5.0.x series of releases was not vulnerable to this issue.  We
     applied the same change in 5.0.20 that went into 6.0.2, but that was just for
     safety.  In 5.0.x other code prohibited this exploit."

III. REFERENCES
     [1] - http://www.zimbra.com

 IV. VENDOR COMMUNICATION
     10.07.2009 - Vulnerability Discovery & Vendor Notification.
     10.08.2009 - Vendor bug filed.
     12.15.2009 - Follow-up to find out fix status.
     12.15.2009 - Vendor Statement that this has been addressed.

The contents of this advisory are copyright (c) nGenuity Information  Security
and may be distributed freely provided that no fee is charged  for this distribution
and proper credit is given.