Results 1 to 6 of 6

Thread: ZCS Security Problems

  1. #1
    DSLD is offline New Member
    Join Date
    Jun 2012
    Posts
    3
    Rep Power
    3

    Question ZCS Security Problems

    Hi Guys,

    During a security assesment realized last week the auditors find and show some security problems in a report on my Zimbra production environment, published in the Web.

    My team focus some days to fix the problems but some points of the report simply we can´t fix because we don´t find some parts of Zimbra that let the errors occurs.

    Please, I want help to:

    Disable HTTP Options Method from Joomla (I had modified both httpd.config that i find, but the method still appears on Nmap).
    Change 404 and 403 Errors pages cause then show some technologies of my Server.

    Thanks for Help!

    Additional Information:
    Zimbra 5.0.11_GA_2695
    Apache/2.2.3

  2. #2
    kruon is offline Loyal Member
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    5

    Default

    Do you have specific reason to run ancient software instead of upgrading at certain intervals, say once every year?

    Official support for Zimbra 5.x ended 16 months ago, and the last official release was 5.0.26: Zimbra Support Life Cycle Documentation; open source email, contacts, and group calendaring
    Apache 2.2.3 was released in 2006, even oldstable debian has 2.2.9

    Spank whoever was responsible for maintaining that system, take full system backup and migrate immediately would be my suggestion.

  3. #3
    DSLD is offline New Member
    Join Date
    Jun 2012
    Posts
    3
    Rep Power
    3

    Default

    Kruon and other forums members:

    Well, i don´t have a specifi reason to still run this version, but the cost of migration isn´t analyzed yet and i think my managers still only want this update as a last resource, trying to block the current security problems.

    The forums members think the only thing I can do is perform a update of Zimbra? No Workaround or fix for my existing version of my Zimbra Suite?

    Thanks again!

  4. #4
    chauvetp is offline Elite Member
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    300
    Rep Power
    7

    Default

    I honestly don't know what to do with that specific issue you have. I'm puzzled though since even old versions of Zimbra don't run Joomla (a CMS) so whatever error that is, is a false positive.

    You have more security problems than your audit will show by having such an out of date version so if you are concerned about security (and not just complying with a vulnerability scan), you really should update.

    If I knew more specifics to tell you I would, but its been a while since I've run that Zimbra version myself and had not made any such changes when I did. The most I can think of is looking at /opt/zimbra/tomcat/conf files
    ---
    Paul Chauvet
    State University of New York at New Paltz

  5. #5
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    181
    Rep Power
    8

    Default

    Easier said than done...

    We we've running 5.0x until a few months ago. Been pushing hard to update to 6 a year ago and eventually was able to go straight to 7.1.4 - 7.2 would not be looked at since it was out for not too long. However, we would not upgrade until our SAN was upgraded. Then, using the fact that zimbra 5.0x was out of support and RHEL4 was also out of support, once the SAN was upgraded (which included snapshot capabilities) we were able to upgrade to 7.1.4 under RHEL4, and now upgraded hardware and OS to RHEL6.

    On top of this, our identinty provisioning system would not work with zimbra 6 nor 7. We were using perl API. It had to be redone in C Sharp.

    12K accounts here btw.

  6. #6
    DSLD is offline New Member
    Join Date
    Jun 2012
    Posts
    3
    Rep Power
    3

    Default

    Thanks for replies, guys .

    Well, if the upgrade is the only solution I will try to sell this idea to our IT manager and see if we reach a solution for the problem upgrading or thinking in others mail systems to accomplish this work.

    Thanks!

    Warm Regards!

    LD.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS Security
    By mpod69 in forum Installation
    Replies: 5
    Last Post: 05-15-2012, 12:58 PM
  2. security problem
    By juancanic in forum Administrators
    Replies: 5
    Last Post: 09-06-2010, 07:34 AM
  3. [SOLVED] security security security
    By Bart Hostens in forum Administrators
    Replies: 8
    Last Post: 12-15-2009, 01:30 AM
  4. 4.5.4: Security Update Available
    By jholder in forum Administrators
    Replies: 0
    Last Post: 04-26-2007, 09:40 PM
  5. Security and hacking
    By Dirk in forum Administrators
    Replies: 8
    Last Post: 08-08-2006, 08:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •