Results 1 to 5 of 5

Thread: Zimbra insecurities out-of-the-box

  1. #1
    nick99 is offline Junior Member
    Join Date
    Jul 2007
    Posts
    5
    Rep Power
    8

    Default Zimbra insecurities out-of-the-box

    I just setup a box to try out zimbra (4.5.6), and I must say I am impressed from a functional level. However when I dig into it a bit, I have a few security-related concerns.

    While I can make most of these changes myself though a bit of hacking trial and error, I thought I would solicit some feedback from others to see if anyone has locked it down more, or even better bring these things to the attention of the developers so they can be fixed in the release itself.

    1. Lots of binary/config files are owned/writable by the same user that the web server (and other services) run as. This is a poor security practice because if one of these services is exploited and a hacker is able to write to the filesystem, the binaries or config files can be easily overwritten by a hacked version. Since the zimbra install is done as root, these files should be owned by root and only readable (or executable in the case of binaries) by the zimbra user. Assuming that only the zimbra user needs access, these files could have ownership of root:zimbra and set to 640 (or 750 for binaries). That way any other user on the system that doesn't need to access these files can't. Although at least changing the owner from 'zimbra' to 'root' would yield the biggest benefit, even if the mode permissions weren't changed.

    2. On a single-server installation there are several ports that are open to the world that don't need to be. From what I can tell many of the ports that zimbra opens up are used for internal communication between zimbra processes, and as such don't need to be open to the world. Although some of these may be necessary in a multi-server environment, surely in a single-server environment these services should be bound to localhost. Of course these ports can be firewalled off by a host-based firewall, but a good security practice is to lock down any services listening on the host irrespective of any firewall measures.

    3. The default configuration of the spell checker server does not provide any authentication or encryption. Anyone in the world can connect to this port using insecure http and run the aspell php application. Although the functionality of this page is limited, it's not generally a good idea to have any application available to the world that doesn't need to be. While I would imagine that it wouldn't be too hard to use https instead of regular http, I don't know how much work it would be to only allow connections from authenticated users due to the design. Additionally I see that when I bring up http://hostname:7780 I get the default apache page. This is generally not a good idea since a common way to find web servers to hack is to search the web for certain text that exposes what type/version of webserver is running.

    4. When SMTP authentication is disabled, the saslauthd services continue to run after zimbra is restarted. From what I can tell these services are not needed unless sasl auth is used, so they shouldn't need to run.

    I am thinking about making a script to secure up zimbra after the install is complete, but I was hoping someone had already done some research and had some notes or a script.

    Anyone? Anyone?

  2. #2
    rasal is offline Starter Member
    Join Date
    Aug 2007
    Posts
    1
    Rep Power
    7

    Default up

    Hi,

    nobody to answer nick99's questions ?

  3. #3
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    We've filed bugs in bugzilla on these and they are being addressed.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  4. #4
    nick99 is offline Junior Member
    Join Date
    Jul 2007
    Posts
    5
    Rep Power
    8

    Default

    Can you please tell us what bug number(s) these are?

  5. #5
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Here's a couple:

    18371
    13788
    15474
    18729
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 26
    Last Post: 04-19-2011, 09:24 AM
  2. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  3. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  4. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •