SEC Consult Vulnerability Lab Security Advisory < 20130625-0 >
=======================================================================
              title: Multiple vulnerabilities in IceWarp Mail Server
            product: IceWarp Mail Server
 vulnerable version: <=10.4.5
      fixed version: 10.4.5-1
             impact: Critical
           homepage: http://www.icewarp.com
              found: 2013-05-28
                 by: V. Paulikas
                     SEC Consult Vulnerability Lab
=======================================================================

Vendor description:
-------------------
IceWarp Mail Server delivers a highly integrated solution, including Mail
Server with dual Anti-Spam & Anti-Virus protection and available add on options
including the IceWarp GroupWare Server, Instant Messaging Server, Text
Messaging Server, a unified WebClient interface, full mobile device
synchronization and much more.

http://www.icewarp.com/


Business recommendation:
------------------------
By exploiting the XXE vulnerability, an unauthenticated attacker can get
read access to the filesystem of the IceWarp Mail Server host and thus obtain
sensitive information such as the configuration files, etc. It is also
possible to scan ports of the internal hosts and cause DoS on the affected host.


Vulnerability overview/description:
---------------------------------------------
1) Cross-Site Scripting

The web GUI is prone to reflected cross site scripting attacks. The
vulnerability can be used to include HTML or JavaScript code in the affected
web page. The code is executed in the browser of users if they visit the
manipulated URL.


2) XML External Entity Injection

The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The risk of this vulnerability is highly increased by the fact
that it can be exploited by anonymous users without existing user accounts.


Proof of concept:
-----------------
Detailed proof of concept URLs or exploit code have been removed from this
advisory.

1) A cross site scripting vulnerability can be exploited by tricking the user
into accessing a specially crafted URL. This vulnerability was identified in
the following scripts:

/webmail/calendar/index.html
/admin/tools/svnparser.html
      

2) The unauthenticated XML External Entity Injection vulnerability can be
exploited by issuing a specially crafted HTTP POST request to the /rpc/gw.html
script.
The /rpc/api.html script was also identified to be vulnerable to XML external
Entity Injection, but for successful exploitation valid administrator
credentials are necessary.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the IceWarp Mail Server
version 10.4.5, which was the most recent version at the time of discovery.


Vendor contact log:
------------------------
2013-06-07: Contacting vendor through tonda@icewarp.com
2013-06-07: Initial vendor response
2013-06-07: Forwarding security advisory to vendor
2013-06-07: Vendor acknowledges that the advisory was received
2013-06-11: Vendor releases the patch
2013-06-25: SEC Consult releases coordinated security advisory.


Solution:
---------
IceWarp customers running version 10.4.5 may apply a patch available
via http://www.icewarp.com/download/patches/10.4.5/html.zip

Customers using the older versions are recommended to upgrade to
IceWarp Server 10.4.5-1.

The file /admin/tools/svnparser.html is recommended to be removed
as it is not necessary for the admin panel anymore.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF V. Paulikas / @2013