|
--MGYHOYXEY6WxJCY8
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View
During a penetration test, RedTeam Pentesting discovered that the IceWarp
WebMail Server is prone to Cross Site Scripting attacks in its email view.
This enables attackers to send emails with embedded JavaScript code,
for example, to steal users' session IDs.
Details
======
Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: notified, fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-001
Advisory Status: published
CVE: CVE-2009-1467
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1467
Introduction
===========
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become the
ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
More Details
===========
To prevent the execution of JavaScript and VBScript code in HTML emails
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML
emails with the function cleanHTML() that is defined in the PHP file
html/webmail/server/inc/tools.php
This filtering function can be circumvented in various ways, to still
allow XSS to happen.
Tag Removal
-----------
Beginning in line 462 down to line 482, the cleanHTML() function removes
or changes a variety of keywords which are considered malicious. This
includes the removal of all attributes starting with "on" (e.g.
onmouseover, onload etc.) and the rewriting of the words "javascript" and
"vbscript" to "noscript".
Later, in line 485, the cleanHTML() function completely removes various HTML
tags from the email:
$string = preg_replace('#*(meta|xml|blink|link|embed|object|iframe|
frame|frameset|ilayer|layer|bgsound)[^>]*>#i',"",$string);
By inserting one of these HTML tags, which gets removed by the filtering
function, between the keywords which get filtered before, the cleanHTML()
function will not recognize them anymore. Later, it will remove the HTML
tag and thereby make the keyword valid again.
Proof of Concept Tag Removal
----------------------------
An HTML email with the following content will open an alert box in
victims' browsers when they move the mouse over the "XSS" text of the