Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
IceWarp WebMail Server Input Validation Flaw in 'Email View' Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1022167 |
|
SecurityTracker URL: http://securitytracker.com/id/1022167
|
|
CVE Reference:
CVE-2009-1467
(Links to External Site)
|
Date: May 6 2009
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 9.4.1
|
Description:
A vulnerability was reported in IceWarp WebMail Server in the Email View function. A remote user can conduct cross-site scripting attacks.
The Email View function does not properly filter HTML code from user-supplied input before displaying the input. A remote user can send a specially crafted e-mail message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the WebMail software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was notified on April 1, 2009.
The original advisory is available at:
http://www.redteam-pentesting.de/advisories/rt-sa-2009-001
RedTeam Pentesting GmbH reported this vulnerability.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WebMail software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor has issued a fix (9.4.2).
|
Vendor URL: www.icewarp.com/products/webmail/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 5 May 2009 14:55:06 +0200
Subject: [Full-disclosure] [RT-SA-2009-001] IceWarp WebMail Server: Cross
|
--===============1722424183==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="rMWmSaSbD7nr+du9"
Content-Disposition: inline
--rMWmSaSbD7nr+du9
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
=3D=3D=3D=3D=3D=3D=3D
Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: notified, fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-001
Advisory Status: published
CVE: CVE-2009-1467
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-1467
Introduction
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become the
ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
More Details
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
To prevent the execution of JavaScript and VBScript code in HTML emails
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML
emails with the function cleanHTML() that is defined in the PHP file
html/webmail/server/inc/tools.php
This filtering function can be circumvented in various ways, to still
allow XSS to happen.
Tag Removal
-----------
Beginning in line 462 down to line 482, the cleanHTML() function removes
or changes a variety of keywords which are considered malicious. This
includes the removal of all attributes starting with "on" (e.g.
onmouseover, onload etc.) and the rewriting of the words "javascript" and
"vbscript" to "noscript".
Later, in line 485, the cleanHTML() function completely removes various HTML
tags from the email:
$string =3D preg_replace('#</*(meta|xml|blink|link|embed|object|iframe|
frame|frameset|ilayer|layer|bgsound)[^>]*>#i',"",$string);
By inserting one of these HTML tags, which gets removed by the filtering
function, between the keywords which get filtered before, the cleanHTML()
function will not recognize them anymore. Later, it will remove the HTML
tag and thereby make the keyword valid again.
Proof of Concept Tag Removal
----------------------------
An HTML email with the following content will open an alert box in
victims' browsers when they move the mouse over the "XSS" text of the
<div> tag:
<div o<xml>nmouseover=3D"alert('XSS')";>XSS</div>
This circumvention should work in all recent browsers with JavaScript
support, during the penetration test Firefox 3.x was used.
Hex Encoding
------------
Another way to circumvent the filtering is to use hex-encoded HTML
entities. The character "j" can e.g. be encoded as "j". The
cleanHTML() function decodes the given string once in line 459:
$string =3D html_entity_decode($string, ENT_COMPAT, "UTF-8");
By double encoding the input, all regular expressions used for filtering
will fail to recognize malicious content even after the first decoding.
The effect of this vulnerability is limited by the fact that HTML
encoded entities are recognized by browsers only if they are part of a
text node or attribute values.
Proof of Concept Hex Encoding
-----------------------------
The "src" attribute value of the HTML tag
<img src=3Djavascript:alert(RedTeam)>
can be double encoded as
<img src=3D&#x6a;&#x6
1;&#x76;&#x
61;&#x73;&#
x63;&#x72;&
#x69;&#x70;
&#x74;&#x3a
;&#x61;&#x6
c;&#x65;&#x
72;&#x74;&#
x28;&#x34;&
#x32;&#x29;>
This will be decoded by the html_entity_decode() function in line 459 to
the string
<img src=3Djavascript
:alert(42)>
The value of the "src" attribute will not be recognized by the filtering
attempts following the decoding in the cleanHTML() function.
A message with such an image tag in the body will trigger the JavaScript
and open a popup box if the browser supports "javascript:" attribute
values in image elements' "src" attributes. This particular proof of
concept works with Internet Explorer 6, the newest Firefox will not
execute the JavaScript.
Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Users can disable the HTML message view in their configuration, so emails
are only displayed as plaintext.
Fix
=3D=3D=3D
Upgrade to version 9.4.2.
Security Risk
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The risk of this vulnerability is estimated as high. Attackers have the
possibility to execute arbitrary JavaScript code in users' browsers and
are thereby able to steal, for example, the users' session IDs. Users
also cannot disallow JavaScript, as it is needed by the application
itself to work properly.
History
=3D=3D=3D=3D=3D=3D=3D
2009-03-23 Vulnerabilities identified during a penetration test
2009-04-01 Meeting with customer and vendor
2009-04-28 CVE number assigned
2009-05-05 Vendor publishes fixed version
2009-05-05 Advisory released
RedTeam Pentesting GmbH
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks or products are
uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.
--=20
RedTeam Pentesting GmbH Tel.: +49 241 963-1300
Dennewartstr. 25-27 Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/
Germany Registergericht: Aachen HRB 14004
Gesch=E4ftsf=FChrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
--rMWmSaSbD7nr+du9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEVAwUBSgA3KdG/HXWsgFSuAQKP3QgAyfnjtTgj8K2tyzYpK6YWjPC8VtjBb/2S
Ex5qljv60K7HsuHxpgU13LCIcECvbFbvHr0MwO/b366v+GOJPlvsOlGkGnElCCoI
cpVKXuJJ3AmOlDOti/q1GBRQ6djBvR4uJbijv4hR5bZiwptucBMHXeAzgi4X6jpJ
X1x+XkZQKHuV6ypmuFiqBbbMuHvdbjrz8YzXhKdW9tkpXbr6E101n/Ea9Ivf2Jgk
4ZEwjd5ETYe/R3IcQI9q1vhOQdOBApkcWskcB64GYnh1EcbJKrPQ9ZCZx7Tnaq3c
4D2RTLw41cJRsqfa7q7ZW4lSn4YPI6ru8KVL48oH+lemr/UPtQouag==
=Jsgd
-----END PGP SIGNATURE-----
--rMWmSaSbD7nr+du9--
--===============1722424183==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1722424183==--
|
|
Go to the Top of This SecurityTracker Archive Page
|
