对话, 查看工单及附件预览存在 XSS 漏洞, 可能会造成密码泄漏.

请马上根据披露的信息核对生产线上的 zammad 版本, 如果确认属于受影响的版本范围, 请马上采取措施!! 如遇到可疑的安全攻击问题, 请发送邮件到 security @ zammad.com

详细信息

ID: ZAA-2017-01
日期: 02/14/2017
主题: 对话, 查看工单及附件预览存在 XSS 漏洞, 可能会造成密码泄漏.
严重性: 高 / High
影响: Zammad 1.0.x up to 1.2.0
修正: Zammad 1.0.4, 1.1.3, 1.2.1
参考:
- CVE-2017-5621: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5621
- CVE-2017-5620: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5620
- CVE-2017-5619: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5619

问题描述

1 - XSS vulnerability (CVE-2017-5621)

Malicious HTML send via REST or WebSocket API (e. g. for article or chat messages) lead to execution in the application domain causing a XSS vulnerability. Zammad did not properly sanitizes user input in chat messages or ticket article contents. This is now fixed with a dedicated functionality preventing this issue in all upcoming chat messages and ticket article contents.

非常感恩 🙏 大家的真爱 🤘 我们特别 ❤️ 衷心的感谢:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de
N: BenBE / Benny Baumann
D: IT Security & OpenSource Developer
W: https://github.com/benbe
N: raphaelm / Raphael Michel
D: Software Developer
W: https://github.com/raphaelm / https://raphaelmichel.de
N: frank_zabel / Johannes Nickel

2 - Attachments in new tab (CVE-2017-5620)

Attachments are opened in a new tab instead of getting downloaded. This creates an attack vector of executing malicious HTML in the domain of the Zammad application. This is now fixed for all attachments. Attachments will get downloaded instead of shown in a browser tab which loses the Zammad application domain scope.

非常感恩 🙏 大家的真爱 🤘 我们特别 ❤️ 衷心的感谢:

N: LukasReschke / Lukas Reschke
D: Security Researcher
W: https://github.com/LukasReschke

3 - Login with hashed password itself (CVE-2017-5619)

Attackers can login with the hashed password itself (e.g. from the DB) instead of the valid password string. This is only critical if an attacker already gained access to your user database. The old plain password functioanlity is now removed and disabled completely. Additionally the password encrytion was improved form SHA2 (without a salt) to Argon2. Argon2 is the official winner of the Password Hashing Competition.

非常感恩 🙏 大家的真爱 🤘 我们特别 ❤️ 衷心的感谢:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de
N: BenBE / Benny Baumann
D: IT Security & OpenSource Developer
W: https://github.com/benbe
N: raphaelm / Raphael Michel
D: Software Developer
W: https://github.com/raphaelm / https://raphaelmichel.de

4 - Missing CSRF Token (CVE-2017-6081)

Attackers can send cross domain POST/PUT/DELETE/PATCH requests via JavaScript in the name of a Zammad user with a valid session due to missing CSRF tokens. This can be used to send blind payloads to the whole Zammad REST API performing write actions with the privileges of the attacked user.

非常感恩 🙏 大家的真爱 🤘 我们特别 ❤️ 衷心的感谢:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de

5 - Unsafe Access Control Headers (CVE-2017-6080)

Attackers can send cross domain requests and receive the result via JavaScript in the name of a Zammad user with a valid session due to missing HTTP Access-Control header restrictions. This can be used to access the whole Zammad REST API with the privileges of the attacked user.

非常感恩 🙏 大家的真爱 🤘 我们特别 ❤️ 衷心的感谢:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de
N: raphaelm / Raphael Michel
D: Softwaredeveloper & Hacker
W: https://github.com/raphaelm / https://www.raphaelmichel.de/

解决方法

最新版本的 Zammad 已经修复该漏洞，建议马上更新到最新版本.

版本可以在以下的服务器上找到:

https://ftp.zammad.com.cn/
https://ftp.zammad.com/

或者通过系统的软件包管理器更新到最新版本.

为保护我们的客户, 在没有进行调查并推出修补程序或发行版本之前, 我们不会透露, 讨论或确认安全性问题. 而在发布更新之前, 我们同样优先更新客户的系统.

附加信息

本公告的发布地址为:
https://www.zammad.com.cn/security/ZAA-2017-01_XSS_in_chat_ticket_view_and_attachment_preview/

如遇到可疑的安全攻击问题, 请发送邮件到 security @ zammad.com