mailing list archives
SEC Consult SA-20130625-0 :: Multiple vulnerabilities in IceWarp Mail Server
From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Tue, 25 Jun 2013 12:33:41 +0300
SEC Consult Vulnerability Lab Security Advisory < 20130625-0 >
title: Multiple vulnerabilities in IceWarp Mail Server
product: IceWarp Mail Server
vulnerable version: <=10.4.5
fixed version: 10.4.5-1
by: V. Paulikas
SEC Consult Vulnerability Lab
IceWarp Mail Server delivers a highly integrated solution, including Mail
Server with dual Anti-Spam & Anti-Virus protection and available add on options
including the IceWarp GroupWare Server, Instant Messaging Server, Text
Messaging Server, a unified WebClient interface, full mobile device
synchronization and much more.
By exploiting the XXE vulnerability, an unauthenticated attacker can get
read access to the filesystem of the IceWarp Mail Server host and thus obtain
sensitive information such as the configuration files, etc. It is also
possible to scan ports of the internal hosts and cause DoS on the affected host.
1) Cross-Site Scripting
The web GUI is prone to reflected cross site scripting attacks. The
web page. The code is executed in the browser of users if they visit the
2) XML External Entity Injection
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The risk of this vulnerability is highly increased by the fact
that it can be exploited by anonymous users without existing user accounts.
Proof of concept:
Detailed proof of concept URLs or exploit code have been removed from this
1) A cross site scripting vulnerability can be exploited by tricking the user
into accessing a specially crafted URL. This vulnerability was identified in
the following scripts:
2) The unauthenticated XML External Entity Injection vulnerability can be
exploited by issuing a specially crafted HTTP POST request to the /rpc/gw.html
The /rpc/api.html script was also identified to be vulnerable to XML external
Entity Injection, but for successful exploitation valid administrator
credentials are necessary.
Vulnerable / tested versions:
The vulnerabilities have been verified to exist in the IceWarp Mail Server
version 10.4.5, which was the most recent version at the time of discovery.
Vendor contact log:
2013-06-07: Contacting vendor through tonda () icewarp com
2013-06-07: Initial vendor response
2013-06-07: Forwarding security advisory to vendor
2013-06-07: Vendor acknowledges that the advisory was received
2013-06-11: Vendor releases the patch
2013-06-25: SEC Consult releases coordinated security advisory.
IceWarp customers running version 10.4.5 may apply a patch available
Customers using the older versions are recommended to upgrade to
IceWarp Server 10.4.5-1.
The file /admin/tools/svnparser.html is recommended to be removed
as it is not necessary for the admin panel anymore.
SEC Consult Vulnerability Lab
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
EOF V. Paulikas / @2013
- SEC Consult SA-20130625-0 :: Multiple vulnerabilities in IceWarp Mail Server SEC Consult Vulnerability Lab (Jun 25)