Multiple vulnerabilities in IceWarp Mail Server

SEC Consult Vulnerability Lab Security Advisory < 20130625-0 >

=======================================================================

title: Multiple vulnerabilities in IceWarp Mail Server

product: IceWarp Mail Server

vulnerable version: <=10.4.5

fixed version: 10.4.5-1

impact: Critical

homepage: www.icewarp.com

found: 2013-05-28

by: V. Paulikas

SEC Consult Vulnerability Lab

=======================================================================

 

Vendor description:

-------------------

IceWarp Mail Server delivers a highly integrated solution, including Mail

Server with dual Anti-Spam & Anti-Virus protection and available add on options

including the IceWarp GroupWare Server, Instant Messaging Server, Text

Messaging Server, a unified WebClient interface, full mobile device

synchronization and much more.

 

www.icewarp.com

 

 

Business recommendation:

------------------------

By exploiting the XXE vulnerability, an unauthenticated attacker can get

read access to the filesystem of the IceWarp Mail Server host and thus obtain

sensitive information such as the configuration files, etc. It is also

possible to scan ports of the internal hosts and cause DoS on the affected host.

 

 

Vulnerability overview/description:

---------------------------------------------

1) Cross-Site Scripting

 

The web GUI is prone to reflected cross site scripting attacks. The

vulnerability can be used to include HTML or JavaScript code in the affected

web page. The code is executed in the browser of users if they visit the

manipulated URL.

 

 

2) XML External Entity Injection

 

The used XML parser is resolving external XML entities which allows attackers

to read files and send requests to systems on the internal network (e.g port

scanning). The risk of this vulnerability is highly increased by the fact

that it can be exploited by anonymous users without existing user accounts.

 

 

Proof of concept:

-----------------

Detailed proof of concept URLs or exploit code have been removed from this

advisory.

 

1) A cross site scripting vulnerability can be exploited by tricking the user

into accessing a specially crafted URL. This vulnerability was identified in

the following scripts:

 

/webmail/calendar/index.html

/admin/tools/svnparser.html

 

 

2) The unauthenticated XML External Entity Injection vulnerability can be

exploited by issuing a specially crafted HTTP POST request to the /rpc/gw.html

script.

The /rpc/api.html script was also identified to be vulnerable to XML external

Entity Injection, but for successful exploitation valid administrator

credentials are necessary.

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in the IceWarp Mail Server

version 10.4.5, which was the most recent version at the time of discovery.

 

 

Vendor contact log:

------------------------

2013-06-07: Contacting vendor through tonda@icewarp.com

2013-06-07: Initial vendor response

2013-06-07: Forwarding security advisory to vendor

2013-06-07: Vendor acknowledges that the advisory was received

2013-06-11: Vendor releases the patch

2013-06-25: SEC Consult releases coordinated security advisory.

 

 

Solution:

---------

IceWarp customers running version 10.4.5 may apply a patch available

via www.icewarp.com/download/patches/10.4.5/html.zip

 

Customers using the older versions are recommended to upgrade to

IceWarp Server 10.4.5-1.

 

The file /admin/tools/svnparser.html is recommended to be removed

as it is not necessary for the admin panel anymore.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF V. Paulikas / @2013