Lucene search

K
nessusThis script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.ICEWARP_9_4_2.NASL
HistoryMay 08, 2009 - 12:00 a.m.

IceWarp Merak WebMail Server < 9.4.2 Multiple Vulnerabilities

2009-05-0800:00:00
This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
145

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.014

Percentile

86.4%

The remote host is running IceWarp WebMail Server - a webmail server for Windows and Linux.

According to its banner, the version of IceWarp installed on the remote host is earlier than 9.4.2. Such versions may reportedly be affected by multiple vulnerabilities :

  • A SQL injection vulnerability exists in the search form of the web-based groupware component. (CVE-2009-1468)

  • A cross-site scripting vulnerability exists because the application fails to properly sanitize HTML emails. An attacker can exploit this flaw through the ‘cleanHTML()’ function of the ‘html/webmail/server/inc/tools.php’ script. (CVE-2009-1467)

  • A cross-site scripting vulnerability exists because the application fails to properly sanitize RSS feeds. An attacker can exploit this flaw through the ‘cleanHTML()’ function of the ‘html/webmail/server/inc/rss/rss.php’ script. (CVE-2009-1467)

  • An input validation flaw exists in the ‘Forgot Password’ function on the login page. (CVE-2009-1469)

  • A specially crafted HTTP request may allow an attacker to disclose the contents of PHP files.

An attacker could exploit these flaws to steal user-based credentials, create arbitrary files, or possibly execute arbitrary code subject to the privileges of the affected application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(38717);
  script_version("1.18");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-1467", "CVE-2009-1468", "CVE-2009-1469");
  script_bugtraq_id(
    34820,
    34823,
    34825,
    34827
  );
  script_xref(name:"SECUNIA", value:"34912");

  script_name(english:"IceWarp Merak WebMail Server < 9.4.2 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote webmail server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running IceWarp WebMail Server - a webmail
server for Windows and Linux.

According to its banner, the version of IceWarp installed on the
remote host is earlier than 9.4.2.  Such versions may reportedly be
affected by multiple vulnerabilities :

  - A SQL injection vulnerability exists in the search form 
    of the web-based groupware component. (CVE-2009-1468)

  - A cross-site scripting vulnerability exists because the
    application fails to properly sanitize HTML emails. An
    attacker can exploit this flaw through the 'cleanHTML()' 
    function of the 'html/webmail/server/inc/tools.php' 
    script. (CVE-2009-1467)

  - A cross-site scripting vulnerability exists because the
    application fails to properly sanitize RSS feeds. An
    attacker can exploit this flaw through the 'cleanHTML()' 
    function of the 'html/webmail/server/inc/rss/rss.php' 
    script. (CVE-2009-1467)

  - An input validation flaw exists in the 'Forgot Password'
    function on the login page. (CVE-2009-1469)

  - A specially crafted HTTP request may allow an attacker
    to disclose the contents of PHP files.

An attacker could exploit these flaws to steal user-based credentials,
create arbitrary files, or possibly execute arbitrary code subject to 
the privileges of the affected application.");
  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2009-004/-icewarp-webmail-server-client-side-specification-of-forgot-password-email-content
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?866c85a5");
  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2009-003/-icewarp-webmail-server-sql-injection-in-groupware-component
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df2ecfe5");
  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2009-002/-icewarp-webmail-server-user-assisted-cross-site-scripting-in-rss-feed-reader
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f6eab1aa");
  # https://www.redteam-pentesting.de/en/advisories/rt-sa-2009-001/-icewarp-webmail-server-cross-site-scripting-in-email-view
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a296894e");
  script_set_attribute(attribute:"solution", value:
"Upgrading to IceWarp 9.4.2 or later reportedly fixes the problems.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(79, 89, 94);

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:icewarp:webmail");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smtpserver_detect.nasl", "popserver_detect.nasl", "doublecheck_std_services.nasl", "http_version.nasl");
  script_require_keys("www/icewarp");
  script_require_ports("Services/smtp", 25, "Services/pop3", 110, "Services/nntp", 119, "Services/imap", 143, "Services/www", 32000);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("imap_func.inc");
include("pop3_func.inc");
include("smtp_func.inc");

# Make sure the webmail component is accessible.
http_port = get_http_port(default:32000);

banner = get_http_banner(port:http_port);
if (!banner) exit(1, "No HTTP baner on port "+http_port);
if ("IceWarp" >!< banner) exit(0, "The web server on port "+http_port+" is not IceWarp");

# Try to get the version number from a banner.
ver = NULL;
service = NULL;

#
# - HTTP
if (isnull(ver))
{
  pat = "IceWarp/([0-9\.]+)";
  matches = egrep(pattern:pat, string:banner);
  
  if (matches)
  {
    foreach match (split(matches, keep:FALSE))
    {
      item = eregmatch(pattern:pat, string:match);
      if (!isnull(item))
      {
        ver = item[1];
        service = "HTTP";
        break;
      }
    }
  }
}

#
# - SMTP
if (isnull(ver))
{
  ports = get_kb_list("Services/smtp");
  if (isnull(ports)) ports = make_list(25);

  foreach port (ports)
  {
    if (get_port_state(port))
    {
      banner = get_smtp_banner(port:port);
      if (banner && (" ESMTP IceWarp " >< banner || " ESMTP Merak " >< banner))
      {
        pat = " ESMTP (IceWarp|Merak) ([0-9\.]+);";
        matches = egrep(pattern:pat, string:banner);
        if (matches)
        {
          foreach match (split(matches))
          {
            match = chomp(match);
            item = eregmatch(pattern:pat, string:match);
            if (!isnull(item))
            {
              ver = item[2];
              service = "SMTP";
              break;
            }
          }
        }
      }
      if (isnull(ver) && !thorough_tests) exit(0);
    }
    if (!isnull(ver)) break;
  }
}

#
# - POP3
if (isnull(ver))
{
  ports = get_kb_list("Services/pop3");
  if (isnull(ports)) ports = make_list(110);

  foreach port(ports)
  {
    if (get_port_state(port))
    {
      banner = get_pop3_banner(port:port);
      if (banner && " POP3 " >< banner && (" IceWarp " >< banner || " Merak" >< banner))
      {
        pat = " (IceWarp|Merak) ([0-9\.]+) POP3 ";
        matches = egrep(pattern:pat, string:banner);
        if (matches)
        {
          foreach match (split(matches))
          {
            match = chomp(match);
            item = eregmatch(pattern:pat, string:match);
            if (!isnull(item))
            {
              ver = item[2];
              service = "POP3";
              break;
            }
          }
        }
      }
      if (isnull(ver) && !thorough_tests) exit(0);
    }
    if (!isnull(ver)) break;
  }
}

#
# - IMAP
if (isnull(ver))
{
  ports = get_kb_list("Services/imap");
  if (isnull(ports)) ports = make_list(143);
  foreach port (ports)
  {
    if (get_port_state(port))
    {
      banner = get_imap_banner(port:port);
      if (banner && " IMAP4" >< banner && (" IceWarp " >< banner || " Merak " >< banner))
      {
        pat = " (IceWarp|Merak) ([0-9\.]+) IMAP4";
        matches = egrep(pattern:pat, string:banner);
        if (matches)
        {
          foreach match (split(matches))
          {
            match = chomp(match);
            item = eregmatch(pattern:pat, string:match);
            if (!isnull(item))
            {
              ver = item[2];
              service = "IMAP";
              break;
            }
          }
        }
      }
      if (isnull(ver) && !thorough_tests) exit(0);
    }
    if (!isnull(ver)) break;
  }
}

if (ver && ver =~ "^[0-8]\.[0-9\.]+|9\.([0-3]\.[0-9\.+]|4\.[0-1])$")
{
  set_kb_item(name:'www/'+http_port+'/XSS', value:TRUE);
  set_kb_item(name:'www/'+http_port+'/SQLInjection', value:TRUE);

  if (report_verbosity > 0)
  {
    report = string(
      "\n",
      "According to its ", service, " banner, the remote host is running IceWarp \n",
      "Merak WebMail Server version ", ver, ".",
      "\n"
    );
    security_warning(port:http_port, extra:report);
  }
  else security_warning(http_port);
}

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.014

Percentile

86.4%