IceWarp WebMail Server: Cross Site Scripting in Email View
Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: notified, fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-001
Advisory Status: published
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1467
"Feature complete yet easy to use, WebMail Server Pro provides feature rich Web 2.0 web-based access to email, calendars, contacts, files and shared data from any computer with browser and internet connection, without the usual configuration hassle. Thanks to advanced technologies and application-like look and feel, Pro suggests it was born to become the ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
This filtering function can be circumvented in various ways, to still allow XSS to happen.
Beginning in line 462 down to line 482, the cleanHTML() function removes
or changes a variety of keywords which are considered malicious. This
includes the removal of all attributes starting with "on" (e.g.
"vbscript" to "noscript".
Later, in line 485, the cleanHTML() function completely removes various HTML
tags from the email:
$string = preg_replace('#</*(meta|xml|blink|link|embed|object|iframe|
By inserting one of these HTML tags, which gets removed by the filtering
function, between the keywords which get filtered before, the cleanHTML()
function will not recognize them anymore. Later, it will remove the HTML
tag and thereby make the keyword valid again.
Proof of Concept Tag Removal
An HTML email with the following content will open an alert box in victims' browsers when they move the mouse over the "XSS" text of the <div> tag:
Another way to circumvent the filtering is to use hex-encoded HTML
entities. The character "j" can e.g. be encoded as "j". The
cleanHTML() function decodes the given string once in line 459:
$string = html_entity_decode($string, ENT_COMPAT, "UTF-8");
By double encoding the input, all regular expressions used for filtering
will fail to recognize malicious content even after the first decoding.
The effect of this vulnerability is limited by the fact that HTML
encoded entities are recognized by browsers only if they are part of a
text node or attribute values.
Proof of Concept Hex Encoding
The "src" attribute value of the HTML tag
can be double encoded as
<img src=&#x6a;&#x6 1;&#x76;&#x 61;&#x73;&# x63;&#x72;& #x69;&#x70; &#x74;&#x3a ;&#x61;&#x6 c;&#x65;&#x 72;&#x74;&# x28;&#x34;& #x32;&#x29;>
This will be decoded by the html_entity_decode() function in line 459 to the string
The value of the "src" attribute will not be recognized by the filtering attempts following the decoding in the cleanHTML() function.
Users can disable the HTML message view in their configuration, so emails are only displayed as plaintext.
Upgrade to version 9.4.2.
2009-03-23 Vulnerabilities identified during a penetration test
2009-04-01 Meeting with customer and vendor
2009-04-28 CVE number assigned
2009-05-05 Vendor publishes fixed version
2009-05-05 Advisory released
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de.