Results 1 to 2 of 2

Thread: [Solved] Severe security risk for internal web services when configuring portal?

  1. #1
    StefanVollmar is offline Beginner Member
    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    2

    Default [Solved] Severe security risk for internal web services when configuring portal?

    Hello,

    we want to migrate our institute's mail and calendar services to Zimbra and have set up a 8.0.4 ZCS server. We would also like to provide a portal for our users to access some web services that are now only available from inside of our networks (by design).

    Following these instructions:

    ZCS 6.0:Zimlet Developers Guide:Portal - Zimbra :: Wiki
    ZCS 6.0:Zimlet Developers Guide:Proxy Servlet Setup - Zimbra :: Wiki

    we were able to set up the "home" tab and use IFrames to access the web content of some internal web services. This works beautifully.

    However, with considerable irritation we found that

    https://our.zimbra.server/services/p...ternal.service

    now allows anybody to access our internal web service *without any authentication* from outside of our networks.

    Is this a configuration fault on our side?
    How can we make sure that only authenticated users can use the proxy functionality?

    Many thanks in advance.
    Yours sincerely,
    Stefan Vollmar
    --
    Dr. Stefan Vollmar, Dipl.-Phys.
    Head of IT group
    Max-Planck-Institut für neurologische Forschung
    Gleueler Str. 50, 50931 Köln, Germany
    Tel.: +49-221-4726-213 FAX +49-221-4726-298
    Tel.: +49-221-478-5713 Mobile: 0160-93874279
    E-Mail: vollmar@nf.mpg.de MPI Koeln: Home

  2. #2
    StefanVollmar is offline Beginner Member
    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    2

    Default Solved: Security problem with portal

    Hello,

    sorry about the noise: the thread I opened a few minutes ago is now obsolete, I am happy to say (my post still awaits moderator approval and I suggest you just drop it). It certainly looked like a severe security problem, however, it only appeared to be one. Authentication was provided via an auth cookie from another browser session, when trying to replicate the problem on another system this became clear. So in summary: the portal function is not compromised, using /service/proxy?target=... in a direct URL query does require authentication - and it works beautifully.

    Sorry again,
    Stefan
    --
    Dr. Stefan Vollmar, Dipl.-Phys.
    Head of IT group
    Max-Planck-Institut für neurologische Forschung
    Gleueler Str. 50, 50931 Köln, Germany
    Tel.: +49-221-4726-213 FAX +49-221-4726-298
    Tel.: +49-221-478-5713 Mobile: 0160-93874279
    E-Mail: vollmar@nf.mpg.de MPI Koeln: Home

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 01-23-2013, 03:13 PM
  2. Zimbra on Ubuntu 8.0.4 - severe issues
    By iway in forum Administrators
    Replies: 21
    Last Post: 03-25-2011, 08:48 AM
  3. [SOLVED] security security security
    By Bart Hostens in forum Administrators
    Replies: 8
    Last Post: 12-15-2009, 01:30 AM
  4. Does Zimbra Desktop increase risk of virus attack?
    By Polly in forum General Questions
    Replies: 1
    Last Post: 05-25-2009, 04:23 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •