what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IceWarp Mail Server 10.4.5 XSS / XXE Injection

IceWarp Mail Server 10.4.5 XSS / XXE Injection
Posted Jun 25, 2013
Authored by V. Paulikas | Site sec-consult.com

IceWarp Mail Server versions 10.4.5 and below suffer from cross site scripting and XML external entity injection vulnerabilities.

tags | exploit, vulnerability, xss, xxe
SHA-256 | 84d292ec76f89464eea4d17baff572a4b0ef0577f2fb641e3f8541b6a69f2f43

IceWarp Mail Server 10.4.5 XSS / XXE Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130625-0 >
=======================================================================
title: Multiple vulnerabilities in IceWarp Mail Server
product: IceWarp Mail Server
vulnerable version: <=10.4.5
fixed version: 10.4.5-1
impact: Critical
homepage: http://www.icewarp.com
found: 2013-05-28
by: V. Paulikas
SEC Consult Vulnerability Lab
=======================================================================

Vendor description:
-------------------
IceWarp Mail Server delivers a highly integrated solution, including Mail
Server with dual Anti-Spam & Anti-Virus protection and available add on options
including the IceWarp GroupWare Server, Instant Messaging Server, Text
Messaging Server, a unified WebClient interface, full mobile device
synchronization and much more.

http://www.icewarp.com/


Business recommendation:
------------------------
By exploiting the XXE vulnerability, an unauthenticated attacker can get
read access to the filesystem of the IceWarp Mail Server host and thus obtain
sensitive information such as the configuration files, etc. It is also
possible to scan ports of the internal hosts and cause DoS on the affected host.


Vulnerability overview/description:
---------------------------------------------
1) Cross-Site Scripting

The web GUI is prone to reflected cross site scripting attacks. The
vulnerability can be used to include HTML or JavaScript code in the affected
web page. The code is executed in the browser of users if they visit the
manipulated URL.


2) XML External Entity Injection

The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The risk of this vulnerability is highly increased by the fact
that it can be exploited by anonymous users without existing user accounts.


Proof of concept:
-----------------
Detailed proof of concept URLs or exploit code have been removed from this
advisory.

1) A cross site scripting vulnerability can be exploited by tricking the user
into accessing a specially crafted URL. This vulnerability was identified in
the following scripts:

/webmail/calendar/index.html
/admin/tools/svnparser.html


2) The unauthenticated XML External Entity Injection vulnerability can be
exploited by issuing a specially crafted HTTP POST request to the /rpc/gw.html
script.
The /rpc/api.html script was also identified to be vulnerable to XML external
Entity Injection, but for successful exploitation valid administrator
credentials are necessary.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the IceWarp Mail Server
version 10.4.5, which was the most recent version at the time of discovery.


Vendor contact log:
------------------------
2013-06-07: Contacting vendor through tonda@icewarp.com
2013-06-07: Initial vendor response
2013-06-07: Forwarding security advisory to vendor
2013-06-07: Vendor acknowledges that the advisory was received
2013-06-11: Vendor releases the patch
2013-06-25: SEC Consult releases coordinated security advisory.


Solution:
---------
IceWarp customers running version 10.4.5 may apply a patch available
via http://www.icewarp.com/download/patches/10.4.5/html.zip

Customers using the older versions are recommended to upgrade to
IceWarp Server 10.4.5-1.

The file /admin/tools/svnparser.html is recommended to be removed
as it is not necessary for the admin panel anymore.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF V. Paulikas / @2013
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    8 Files
  • 6
    Jul 6th
    8 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close