Hi folks,
A zero day exploit for Zimbra was released on Friday. I found out about it late last night and spent the night trying to come up with a temporary workaround. The details of the exploit are here:
http://www.exploit-db.com/exploits/30085/ . Basically anyone, through a simple URL, can gain access to your site's localconfig.xml file which has all your Zimbra system passwords. From there they can create an admin-level account and, if port 7071 is exposed, login to the admin console.
My workaround involves adding a rewrite rule to nginx to look for localconfig being passed in as an argument and block it. To implement, in /opt/zimbra/conf/nginx/templates, edit nginx.conf.web.http.default.template and nginx.conf.web.https.default.template and insert this inside the 'location' block before the 'include' statement:
if ($args ~ skin=.*localconfig) {
rewrite ^/.* / redirect;
}
This is a brute force rewrite and will actually create a redirect loop because it doesn't actually replace the args upon doing the redirect, so the URL will still match. If you're more well versed in nginx config than I am, feel free to refine it.
Unfortunately this workaround won't work for a single-server install that's not using the zimbra-proxy package. I've been messing around trying to add a rewrite rule to jetty.xml.in but that doesn't appear to work as the rewrite rule can't see the arguments - only the URL after the arguments have been stripped off. My only other alternative is to install and configure the proxy package on the existing server (which involves messing with SSL certs and such)
I will keep playing, but if anyone has any suggestions for non-proxy Zimbra installs, I'd love to hear them.
--
Steve Hillman IT Architect
hillman@sfu.ca Institutional, Collaborative, & Academic Technologies (ICAT)
778-782-3960 Simon Fraser University