TITLE: IceWarp Web Mail Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17046 VERIFY ADVISORY: http://secunia.com/advisories/17046/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information WHERE: >From remote SOFTWARE: Merak Mail Server 8.x http://secunia.com/product/5054/ IceWarp Web Mail 5.x http://secunia.com/product/3775/ DESCRIPTION: ShineShadow has discovered some vulnerabilities in IceWarp Web Mail, which can be exploited by malicious people to conduct cross-site scripting attacks, delete arbitrary files, and disclose system and sensitive information. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Examples: http://[host]:32000/mail/blank.html?id=[code] http://[host]:32000/mail/calendar_d.html?schedule=1&print=1&createdataCX=[code] http://[host]:32000/mail/calendar_m.html?schedule=1&print=1&createdataCX=[code] http://[host]:32000/mail/calendar_w.html?schedule=1&print=1&createdataCX=[code] 2) The problem is that it is possible to disclose the full path to the installation directory by accessing the "mail/bwlist_inc.html" and "accounts/bwlist_inc.html" scripts directly. 3) Input passed to the "id" parameter in "mail/logout.html" isn't properly verified, before it is used to delete files. This can be exploited to remove arbitrary files and empty directories. 4) Input passed to the "helpid" parameter in "accounts/help.html" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources. The vulnerabilities have been confirmed in Merak Mail Server 8.2.4r with IceWarp Web Mail 5.5.1. Other versions may also be affected. SOLUTION: Filter traffic to port 32000. PROVIDED AND/OR DISCOVERED BY: ShineShadow ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------