Multiple cross-site scripting and XML external entity injection vulnerabilities in IceWarp Mail Server

Release date:
Updated on: 2013-06-26

Affected Systems:
Icewarp IceWarp Mail Server
Description:
--------------------------------------------------------------------------------
Bugtraq id: 60755
 
IceWarp Mail Server is a comprehensive solution for Mail servers, including email servers, anti-spam, anti-virus, and other functions.
 
IceWarp Mail Server 10.4.5 and other versions have multiple cross-site scripting and XML external entity Injection Vulnerabilities. Attackers can exploit these vulnerabilities to execute arbitrary script code and perform unauthorized operations in the affected browsers.
 
<* Source: V. Paulikas

Link: http://seclists.org/fulldisclosure/2013/Jun/198
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
1) Cross-Site Scripting Vulnerability:
 
/Webmail/calendar/index.html
/Admin/tools/svnparser.html
 
2) XML external entity injection vulnerability without authentication. Attackers can exploit this vulnerability by sending specially crafted http post requests to/rpc/gw.html scripts. To exploit this vulnerability, a valid Administrator credential is required.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Icewarp
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.icewarp.com/download/patches/10.4.5/html.zip