[FD] [RT-SA-2019-016] IceWarp: Cross-Site Scripting in Notes

2020-01-02 Thread RedTeam Pentesting GmbH 
Advisory: IceWarp: Cross-Site Scripting in Notes

During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to cross-site scripting attacks in notes
for objects. If attackers with access to the IceWarp system provide a
manipulated object that is displayed by users, they can run arbitrary
JavaScript code in the users' browsers.

Details
===

Product: IceWarp WebMail Server
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
Fixed Versions: IceWarp 12.2.1.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-016
Advisory Status: published
CVE: CVE-2019-19266
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19266

Introduction


"Secure professional email with own domain and revolutionary integration
with chat. Shared calendars for perfect planning."
(from the vendor's homepage)


More Details


Users can create, modify and share appointments in IceWarp with other
users of the web application. Especially noteworthy are the following
two XML Entities in the request to create a new appointment:


text/html
RedTeam Pentesting


These define a note for an appointment. It was found that in notes some
HTML entities were rendered, but some entities and attributes were
filtered. However, the filter only takes effect when the content type of
the note is set to "text/html". When the content type is left out or set
to any other type, the filter is not active, enabling attackers to
circumvent the filter and execute JavaScript in the user's browser. The
same is true for notes attached to other objects, such as files or
tasks.

Just using the calendar module, at least three ways to attack other
IceWarp users are available using cross-site scripting in a note of an
appointment:

 * Inviting other attendees to an appointment
 * Sharing access to an appointment
 * Sending a calendar file as a request via email

Especially for the first variant of attacking an IceWarp user by adding
that user to a manipulated appointment, no user interaction is required
from the attacked user besides opening the IceWarp calendar.

Proof of Concept


Create an appointment using an HTTP request similar to the following:


POST /[...]/webmail/server/webmail.php HTTP/1.1
Host: icewarp.example.com
Content-Type: text/xml


  

  

  
Example Appointment
0


U


0
Z
<_tzevnstartdate>2458801
<_tzevnenddate>2458801
<_tzevnstarttime>660
<_tzevnendtime>690
<_tzid>Europe/Amsterdam
60
  

  

  




Workaround
==

None known.


Fix
===

Update to IceWarp 12.2.1.1.


Security Risk
=

Attackers with access to an IceWarp account could give other legitimate
IceWarp users access to manipulated objects. If the attacked user opens
the preview of such an object, for example by just opening the calendar,
a cross-site scripting vulnerability can be exploited. That could, for
example, be used to display a fake login form and get access to the
user's credentials, or to access any data stored in IceWarp such as
emails, contacts, tasks, files or appointments. While this requires an
attacker with access to an IceWarp account, this kind of access could be
gained by exploiting the vulnerability described in rt-sa-2019-15 [1].
This is considered to pose a high risk.


Timeline


2019-11-11 Vulnerability identified
2019-11-15 Vendor notified
2019-11-22 Customer approved disclosure
2019-11-25 CVE number requested
2019-11-25 CVE number assigned
2019-12-02 Vendor released fixed version
2019-12-10 Customer approved disclosure
2019-12-13 Fixed version released
2020-01-02 Advisory released


References
==

[1] https://www.redteam-pentesting.de/advisories/rt-sa-2019-015


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting

[FD] [RT-SA-2019-015] IceWarp: Cross-Site Scripting in Notes for Contacts

2020-01-02 Thread RedTeam Pentesting GmbH 
Advisory: IceWarp: Cross-Site Scripting in Notes for Contacts

During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted cross-site scripting
attacks in its contact module. If IceWarp users import a manipulated
vcard, for example from an email, attackers can run arbitrary JavaScript
code in the users' browsers.


Details
===

Product: IceWarp WebMail Server
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
Fixed Versions: IceWarp 12.2.1.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-15
Advisory Status: published
CVE: CVE-2019-19265
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19265

Introduction


"Secure professional email with own domain and revolutionary integration
with chat. Shared calendars for perfect planning."
(from the vendor's homepage)


More Details


IceWarp allows users to import contacts in vcard format [1] from emails.
These contacts can contain HTML notes as can be seen by exporting notes
created by IceWarp. The following line shows such a note:


X-ALT-NOTE;FMTTYPE=text/html:RedTeam Pentesting


By inserting JavaScript here, a cross-site scripting vulnerability can
be exploited if an IceWarp user imports such a manipulated contact into
IceWarp. The property handling for the HTML formatted note "X-ALT-NOTE"
and "FMTTYPE" is not defined in the vcard [1] standard, but is borrowed
from the calendar file format ical [2]. Originally, the vcard standard
uses the property "NOTE". This field can be used to exploit a cross-site
scripting in IceWarp, too.


Proof of Concept


Send an IceWarp user one of the following vcards:


BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
X-ALT-NOTE;FMTTYPE=text/html:
EMAIL;TYPE=INTERNET,PREF:testus...@example.com
END:VCARD


or


BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
NOTE:
EMAIL;TYPE=INTERNET,PREF:testus...@example.com
END:VCARD



Workaround
==

None known.


Fix
===

Update to IceWarp 12.2.1.1.


Security Risk
=

Attackers without an account on the IceWarp system can send specially
crafted vcard [1] files to IceWarp users. If an IceWarp user imports
that new contact into the IceWarp web application a cross-site scripting
vulnerability can be exploited. That could, for example, be used to
display a fake login form and get access to the user's credentials, or
to access any data stored in IceWarp such as emails, contacts, tasks,
files or appointments. Access to these could be abused to exploit the
vulnerability described in rt-sa-2019-016 [3].
This is considered to pose a high risk.


Timeline


2019-11-11 Vulnerability identified
2019-11-15 Vendor notified
2019-11-22 Customer approved disclosure
2019-11-25 CVE number requested
2019-11-25 CVE number assigned
2019-12-02 Vendor released fixed version
2019-12-10 Customer approved disclosure
2019-12-13 Fixed version released
2020-01-02 Advisory released


References
==

[1] https://tools.ietf.org/html/rfc6350
[2] https://tools.ietf.org/html/rfc2445
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2019-16


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature