SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   IceWarp Web Mail Vendors:   IceWarp Software
IceWarp Web Mail Software Input Validation Hole in Address Book Lets Remote Users Conduct Cross-site Scripting Attacks
SecurityTracker Alert ID:  1005064
SecurityTracker URL:  http://securitytracker.com/id/1005064
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 15 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.3.3
Description:   An input validation vulnerability was reported in IceWarp Web Mail. A remote user may be able to cause arbitrary scripting code to be executed on the target user's computer.

It is reported that a remote user may be able to exploit the lack of input filtering in the 'Full Name' segment of the address book. This exploit requires the remote user to know or determine the the user's session ID number (it may be possible to obtain this static session ID via a previously reported flaw from February 2002).

A demonstration exploit URL is provided:

http://<Icewarp-Using-Site>:32000/mail/addressaction.html?id=<USER
ID#>&newaddress=1&addressname=<script>alert('DarCNesS%20Overwhelms')</script
>&addressemail=DarC_KonQuesT@phreaker.net

The script code that is executed will originate from the site running IceWarp and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor has reportedly been notified.
Impact:   A remote user can create a URL that, when loaded by a target user, will cause arbitrary scripting code to be executed on the target user's computer. The code may e able to access the target user's cookies (including authentication cookies), if any, associated with the IceWarp server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.icewarp.com/Products/IceWarp_Web_Mail/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 14 Aug 2002 21:23:43 -0500
Subject:  IceWarp Webmail XSS


DarC KonQuesT XSS Release-

Product: IceWarp Webmail 3.3.3 (tested, others possibly vulnerable)
Vendor: IceWarp Software - E-mail: info@icewarp.com
Web: www.icewarp.com
Problem: Cross Site Scripting
Severity: Mild-Moderate
Operating System(s): Tested against Win2k but all others if objects are
handled the same way.
Discovered: July 28, 2002
Vendor Notified: August 4, 2002
Public Release: Now - August 24

Background:
    IceWarp Webmail is a nice webmail daemon that "is a full featured top
quality web mail solution which works with any mail server and lets you
access your email office remotely from any browser on the Internet or your
local network" (IceWarp.com). Web Mail runs on Windows XP/2000/NT/9X/ME,
supports SMTP/POP3/IMAP4/HTTP Internet protocols and has a spell checker,
remote web administration, any attachment support, private and shared
address books, groups, signatures, multiple mail server support and many
other powerful options (IceWarp.com). According to their site it was first
officially released on March 6, 2000.

Problem:
    IceWarp has a nifty little feature where your address book appears as a
dropdown menu next to the message's "To:", "Cc:", and "Bcc:" fields which
allows sending a message to a contact in your address book very easy. When
IceWarp loads your address book into these dropdown menus it doesn't
sanitize the "Full Name" segment so malicous code (or any code, I don't
care) can be placed into this field and it will be executed whenever the
user loads the page to write a new message. However, since the dropdown menu
appears thrice (beside each field) the code will execute 3 times.
One problem with providing a link to automatically enter this data into the
address book is that IceWarp uses ID numbers to keep track of the logged in
user. If you do not know this number then IceWarp lists the user as not
logged in. Therefore it becomes more difficult to execute a XSS attack. This
number is randomly generated (I think), and changes everytime the user logs
in. This number can be seen in the URL or many places in the code of the
page.

Code from inbox:

http://<IceWarp-using-site>:32000/mail/readmail.html?folder=inbox&get=1&id=e
68972360786c64b3aa14dc0f60b1aa6
You can see the ID number listed beside 'id='

Exploit (almost):
    A URL can be crafted easily which will fill in the values on the 'Add
Address' page just by viewing the code. The one I used is as follows:
NOTE: I used some encoding for the spaces but none was necessary for the
page I tested on. However, encoding the entire URL would be a good way to
disguise the intentions of it.

http://<Icewarp-Using-Site>:32000/mail/addressaction.html?id=<USER
ID#>&newaddress=1&addressname=<script>alert('DarCNesS%20Overwhelms')</script
>&addressemail=DarC_KonQuesT@phreaker.net

The problem with this is that it will go to the page (if you know the ID#),
and fill in the required fields. However it will not submit the form. I'll
leave this for someone else to figure out. An easier way would be if the
page used CGI or PHP where the form could be submitted solely through the
URL and then redirect to another site etc...
But, as far as I have found, all the transactions are handled by an
executable file rather than scripts.
Another problem is that instead of cookies IceWarp uses ID numbers which
reduces the chances of our URL working (because we need to have their ID
number and they must still be in that session).

Vendor Action:
    I notified IceWarp about 1 A.M. and Adam of IceWarp replied by noon. His
response was composed of the following:
"Hello Cameron, Ok.. I send your notice to our developers. Thanks"
and that was the last I've heard from them.
::shrug:: at least he was prompt about it.

Aftermath:
    It seems to me this has all the normal dangers of a XSS hole so listing
them seems pointless (I'm sure we've all seen them). If someone develops a
way to submit the form through the URL or by bypassing the form altogether
I'd definitly like to see how you did it. Same thing if someone expands this
idea to include other/larger possibilites.
Later on, and have fun,

- DarC KonQuesT -(DiR)-

P.S. - More lame advisories to come! (XSS is pathetic and remarkably
wide-spread...)

Greets:
DarCLinG, V3ga, st3v3, Jenn, Christina, ACES, and M. Howard

"Congress shall make no law abridging the freedom of sXXXch, or the right of
the people peaceably to XXXemble, and to peXXXion the government for a
redress of grievances." -- Marc Rotenberg


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC