Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
IceWarp Web Mail Software Input Validation Hole in Address Book Lets Remote Users Conduct Cross-site Scripting Attacks
SecurityTracker Alert ID: 1005064|
SecurityTracker URL: http://securitytracker.com/id/1005064
(Links to External Site)
Date: Aug 15 2002
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Exploit Included: Yes |
An input validation vulnerability was reported in IceWarp Web Mail. A remote user may be able to cause arbitrary scripting code to be executed on the target user's computer.|
It is reported that a remote user may be able to exploit the lack of input filtering in the 'Full Name' segment of the address book. This exploit requires the remote user to know or determine the the user's session ID number (it may be possible to obtain this static session ID via a previously reported flaw from February 2002).
A demonstration exploit URL is provided:
The script code that is executed will originate from the site running IceWarp and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has reportedly been notified.
A remote user can create a URL that, when loaded by a target user, will cause arbitrary scripting code to be executed on the target user's computer. The code may e able to access the target user's cookies (including authentication cookies), if any, associated with the IceWarp server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
No solution was available at the time of this entry.|
Vendor URL: www.icewarp.com/Products/IceWarp_Web_Mail/ (Links to External Site)
Input validation error|
Source Message Contents
Date: Wed, 14 Aug 2002 21:23:43 -0500|
Subject: IceWarp Webmail XSS
DarC KonQuesT XSS Release-
Product: IceWarp Webmail 3.3.3 (tested, others possibly vulnerable)
Vendor: IceWarp Software - E-mail: email@example.com
Problem: Cross Site Scripting
Operating System(s): Tested against Win2k but all others if objects are
handled the same way.
Discovered: July 28, 2002
Vendor Notified: August 4, 2002
Public Release: Now - August 24
IceWarp Webmail is a nice webmail daemon that "is a full featured top
quality web mail solution which works with any mail server and lets you
access your email office remotely from any browser on the Internet or your
local network" (IceWarp.com). Web Mail runs on Windows XP/2000/NT/9X/ME,
supports SMTP/POP3/IMAP4/HTTP Internet protocols and has a spell checker,
remote web administration, any attachment support, private and shared
address books, groups, signatures, multiple mail server support and many
other powerful options (IceWarp.com). According to their site it was first
officially released on March 6, 2000.
IceWarp has a nifty little feature where your address book appears as a
dropdown menu next to the message's "To:", "Cc:", and "Bcc:" fields which
allows sending a message to a contact in your address book very easy. When
IceWarp loads your address book into these dropdown menus it doesn't
sanitize the "Full Name" segment so malicous code (or any code, I don't
care) can be placed into this field and it will be executed whenever the
user loads the page to write a new message. However, since the dropdown menu
appears thrice (beside each field) the code will execute 3 times.
One problem with providing a link to automatically enter this data into the
address book is that IceWarp uses ID numbers to keep track of the logged in
user. If you do not know this number then IceWarp lists the user as not
logged in. Therefore it becomes more difficult to execute a XSS attack. This
number is randomly generated (I think), and changes everytime the user logs
in. This number can be seen in the URL or many places in the code of the
Code from inbox:
You can see the ID number listed beside 'id='
A URL can be crafted easily which will fill in the values on the 'Add
Address' page just by viewing the code. The one I used is as follows:
NOTE: I used some encoding for the spaces but none was necessary for the
page I tested on. However, encoding the entire URL would be a good way to
disguise the intentions of it.
The problem with this is that it will go to the page (if you know the ID#),
and fill in the required fields. However it will not submit the form. I'll
leave this for someone else to figure out. An easier way would be if the
page used CGI or PHP where the form could be submitted solely through the
URL and then redirect to another site etc...
But, as far as I have found, all the transactions are handled by an
executable file rather than scripts.
Another problem is that instead of cookies IceWarp uses ID numbers which
reduces the chances of our URL working (because we need to have their ID
number and they must still be in that session).
I notified IceWarp about 1 A.M. and Adam of IceWarp replied by noon. His
response was composed of the following:
"Hello Cameron, Ok.. I send your notice to our developers. Thanks"
and that was the last I've heard from them.
::shrug:: at least he was prompt about it.
It seems to me this has all the normal dangers of a XSS hole so listing
them seems pointless (I'm sure we've all seen them). If someone develops a
way to submit the form through the URL or by bypassing the form altogether
I'd definitly like to see how you did it. Same thing if someone expands this
idea to include other/larger possibilites.
Later on, and have fun,
- DarC KonQuesT -(DiR)-
P.S. - More lame advisories to come! (XSS is pathetic and remarkably
DarCLinG, V3ga, st3v3, Jenn, Christina, ACES, and M. Howard
"Congress shall make no law abridging the freedom of sXXXch, or the right of
the people peaceably to XXXemble, and to peXXXion the government for a
redress of grievances." -- Marc Rotenberg
Go to the Top of This SecurityTracker Archive Page