what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IceWarp 12.2.0 / 12.1.x Cross Site Scripting

IceWarp 12.2.0 / 12.1.x Cross Site Scripting
Posted Jan 2, 2020
Site redteam-pentesting.de

IceWarp versions 12.2.0 and 12.1.x suffer from a cross site scripting vulnerability in notes for contacts.

tags | exploit, xss
advisories | CVE-2019-19265
SHA-256 | f8814a82a36dc00eee0a52da74246db07520136d11a87989e301009965cf04e9

IceWarp 12.2.0 / 12.1.x Cross Site Scripting

Change Mirror Download
Advisory: IceWarp: Cross-Site Scripting in Notes for Contacts

During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted cross-site scripting
attacks in its contact module. If IceWarp users import a manipulated
vcard, for example from an email, attackers can run arbitrary JavaScript
code in the users' browsers.


Details
=======

Product: IceWarp WebMail Server
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
Fixed Versions: IceWarp 12.2.1.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://www.icewarp.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-15
Advisory Status: published
CVE: CVE-2019-19265
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19265

Introduction
============

"Secure professional email with own domain and revolutionary integration
with chat. Shared calendars for perfect planning."
(from the vendor's homepage)


More Details
============

IceWarp allows users to import contacts in vcard format [1] from emails.
These contacts can contain HTML notes as can be seen by exporting notes
created by IceWarp. The following line shows such a note:

------------------------------------------------------------------------
X-ALT-NOTE;FMTTYPE=text/html:<h1>RedTeam Pentesting</h1>
------------------------------------------------------------------------

By inserting JavaScript here, a cross-site scripting vulnerability can
be exploited if an IceWarp user imports such a manipulated contact into
IceWarp. The property handling for the HTML formatted note "X-ALT-NOTE"
and "FMTTYPE" is not defined in the vcard [1] standard, but is borrowed
from the calendar file format ical [2]. Originally, the vcard standard
uses the property "NOTE". This field can be used to exploit a cross-site
scripting in IceWarp, too.


Proof of Concept
================

Send an IceWarp user one of the following vcards:

------------------------------------------------------------------------
BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
X-ALT-NOTE;FMTTYPE=text/html:<img style="display: none\;" src="x" onerror="alert('RedTeam Pentesting')">
EMAIL;TYPE=INTERNET,PREF:testuser1@example.com
END:VCARD
------------------------------------------------------------------------

or

------------------------------------------------------------------------
BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
NOTE:<img style="display: none\;" src="x" onerror="alert('RedTeam Pentesting')">
EMAIL;TYPE=INTERNET,PREF:testuser1@example.com
END:VCARD
------------------------------------------------------------------------


Workaround
==========

None known.


Fix
===

Update to IceWarp 12.2.1.1.


Security Risk
=============

Attackers without an account on the IceWarp system can send specially
crafted vcard [1] files to IceWarp users. If an IceWarp user imports
that new contact into the IceWarp web application a cross-site scripting
vulnerability can be exploited. That could, for example, be used to
display a fake login form and get access to the user's credentials, or
to access any data stored in IceWarp such as emails, contacts, tasks,
files or appointments. Access to these could be abused to exploit the
vulnerability described in rt-sa-2019-016 [3].
This is considered to pose a high risk.


Timeline
========

2019-11-11 Vulnerability identified
2019-11-15 Vendor notified
2019-11-22 Customer approved disclosure
2019-11-25 CVE number requested
2019-11-25 CVE number assigned
2019-12-02 Vendor released fixed version
2019-12-10 Customer approved disclosure
2019-12-13 Fixed version released
2020-01-02 Advisory released


References
==========

[1] https://tools.ietf.org/html/rfc6350
[2] https://tools.ietf.org/html/rfc2445
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2019-16


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close