SEC Consult Vulnerability Lab Security Advisory < 20130625-0 > ======================================================================= title: Multiple vulnerabilities in IceWarp Mail Server product: IceWarp Mail Server vulnerable version: <=10.4.5 fixed version: 10.4.5-1 impact: Critical homepage: http://www.icewarp.com found: 2013-05-28 by: V. Paulikas SEC Consult Vulnerability Lab ======================================================================= Vendor description: ------------------- IceWarp Mail Server delivers a highly integrated solution, including Mail Server with dual Anti-Spam & Anti-Virus protection and available add on options including the IceWarp GroupWare Server, Instant Messaging Server, Text Messaging Server, a unified WebClient interface, full mobile device synchronization and much more. http://www.icewarp.com/ Business recommendation: ------------------------ By exploiting the XXE vulnerability, an unauthenticated attacker can get read access to the filesystem of the IceWarp Mail Server host and thus obtain sensitive information such as the configuration files, etc. It is also possible to scan ports of the internal hosts and cause DoS on the affected host. Vulnerability overview/description: --------------------------------------------- 1) Cross-Site Scripting The web GUI is prone to reflected cross site scripting attacks. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated URL. 2) XML External Entity Injection The used XML parser is resolving external XML entities which allows attackers to read files and send requests to systems on the internal network (e.g port scanning). The risk of this vulnerability is highly increased by the fact that it can be exploited by anonymous users without existing user accounts. Proof of concept: ----------------- Detailed proof of concept URLs or exploit code have been removed from this advisory. 1) A cross site scripting vulnerability can be exploited by tricking the user into accessing a specially crafted URL. This vulnerability was identified in the following scripts: /webmail/calendar/index.html /admin/tools/svnparser.html 2) The unauthenticated XML External Entity Injection vulnerability can be exploited by issuing a specially crafted HTTP POST request to the /rpc/gw.html script. The /rpc/api.html script was also identified to be vulnerable to XML external Entity Injection, but for successful exploitation valid administrator credentials are necessary. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the IceWarp Mail Server version 10.4.5, which was the most recent version at the time of discovery. Vendor contact log: ------------------------ 2013-06-07: Contacting vendor through tonda@icewarp.com 2013-06-07: Initial vendor response 2013-06-07: Forwarding security advisory to vendor 2013-06-07: Vendor acknowledges that the advisory was received 2013-06-11: Vendor releases the patch 2013-06-25: SEC Consult releases coordinated security advisory. Solution: --------- IceWarp customers running version 10.4.5 may apply a patch available via http://www.icewarp.com/download/patches/10.4.5/html.zip Customers using the older versions are recommended to upgrade to IceWarp Server 10.4.5-1. The file /admin/tools/svnparser.html is recommended to be removed as it is not necessary for the admin panel anymore. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF V. Paulikas / @2013