Secunia Security Advisory - Multiple unspecified vulnerabilities have been reported in IceWarp 1.x through 5.x Web Mail, which can potentially be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, access sensitive information, and manipulate the file system.
86c6387d579030f9a351128ed48bb42d89598447d40d17ff06be88c479550ad5
TITLE:
IceWarp Web Mail Multiple Unspecified Vulnerabilities
SECUNIA ADVISORY ID:
SA12269
VERIFY ADVISORY:
http://secunia.com/advisories/12269/
CRITICAL:
Moderately critical
IMPACT:
Unknown, Security Bypass, Cross Site Scripting, Manipulation of data,
Exposure of system information, Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
IceWarp Web Mail 5.x
http://secunia.com/product/3775/
IceWarp Web Mail 1.x
http://secunia.com/product/756/
IceWarp Web Mail 2.x
http://secunia.com/product/757/
IceWarp Web Mail 3.x
http://secunia.com/product/758/
IceWarp Web Mail 4.x
http://secunia.com/product/2283/
DESCRIPTION:
Multiple unspecified vulnerabilities have been reported in IceWarp
Web Mail, which can potentially be exploited by malicious people to
conduct cross-site scripting and SQL injection attacks, access
sensitive information, and manipulate the file system.
The vendor has provided the following information, which is security
related, in the release notes:
- HTML validation fix (foldertree)
- writemail shortcuts improvement
- calendar/note/modify FIX
- getusersession secured
- CSS attacks calendar.html/notes/foldername
accountsettings/add/accountname search/search string address/group
name
- Making any directories on target system. (logged user)
- Full install path disclosure. (guest)
- Viewing or downloading any attachments.
- Deleting any files on target system.
- Moving any files or directories on target system. (guest)
- Renaming any files or directories on target system. (logged user)
- Security vulerabilities fixed: SQL injection
- Security vulerabilities fixed: attachment,schedule/calendar -
execute without knowing user's session ID number
SOLUTION:
Update to version 5.2.8.
http://www.icewarp.com/Download/
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.icewarp.com/Products/IceWarp_Web_Mail/releasenotes_webmail.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------