IceWarp WebMail Email View XSS

`Advisory: IceWarp WebMail Server: Cross Site Scripting in Email View  
  
During a penetration test, RedTeam Pentesting discovered that the IceWarp  
WebMail Server is prone to Cross Site Scripting attacks in its email view.  
This enables attackers to send emails with embedded JavaScript code,  
for example, to steal users' session IDs.  
  
  
Details  
=======  
  
Product: IceWarp eMail Server / WebMail Server  
Affected Versions: 9.4.1  
Fixed Versions: 9.4.2  
Vulnerability Type: Cross Site Scripting  
Security Risk: high  
Vendor URL: http://www.icewarp.com/  
Vendor Status: notified, fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-001  
Advisory Status: published  
CVE: CVE-2009-1467  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1467  
  
  
Introduction  
============  
  
"Feature complete yet easy to use, WebMail Server Pro provides feature  
rich Web 2.0 web-based access to email, calendars, contacts, files and  
shared data from any computer with browser and internet connection,  
without the usual configuration hassle. Thanks to advanced technologies  
and application-like look and feel, Pro suggests it was born to become the  
ultimate replacement of Outlook and similar desktop mail clients."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
To prevent the execution of JavaScript and VBScript code in HTML emails  
and to remove unwanted HTML tags, the IceWarp WebMail Server filters HTML  
emails with the function cleanHTML() that is defined in the PHP file  
  
html/webmail/server/inc/tools.php  
  
This filtering function can be circumvented in various ways, to still  
allow XSS to happen.  
  
  
Tag Removal  
-----------  
  
Beginning in line 462 down to line 482, the cleanHTML() function removes  
or changes a variety of keywords which are considered malicious. This  
includes the removal of all attributes starting with "on" (e.g.  
onmouseover, onload etc.) and the rewriting of the words "javascript" and  
"vbscript" to "noscript".  
  
Later, in line 485, the cleanHTML() function completely removes various HTML  
tags from the email:  
  
$string = preg_replace('#</*(meta|xml|blink|link|embed|object|iframe|  
frame|frameset|ilayer|layer|bgsound)[^>]*>#i',"",$string);  
  
By inserting one of these HTML tags, which gets removed by the filtering  
function, between the keywords which get filtered before, the cleanHTML()  
function will not recognize them anymore. Later, it will remove the HTML  
tag and thereby make the keyword valid again.  
  
  
Proof of Concept Tag Removal  
----------------------------  
  
An HTML email with the following content will open an alert box in  
victims' browsers when they move the mouse over the "XSS" text of the  
<div> tag:  
  
<div o<xml>nmouseover="alert('XSS')";>XSS</div>  
  
This circumvention should work in all recent browsers with JavaScript  
support, during the penetration test Firefox 3.x was used.  
  
  
Hex Encoding  
------------  
  
Another way to circumvent the filtering is to use hex-encoded HTML  
entities. The character "j" can e.g. be encoded as "&#x6A;". The  
cleanHTML() function decodes the given string once in line 459:  
  
$string = html_entity_decode($string, ENT_COMPAT, "UTF-8");  
  
By double encoding the input, all regular expressions used for filtering  
will fail to recognize malicious content even after the first decoding.  
  
The effect of this vulnerability is limited by the fact that HTML  
encoded entities are recognized by browsers only if they are part of a  
text node or attribute values.  
  
  
Proof of Concept Hex Encoding  
-----------------------------  
  
The "src" attribute value of the HTML tag  
  
<img src=javascript:alert(RedTeam)>  
  
can be double encoded as  
  
<img src=&#x26;&#x23;&#x78;&#x36;&#x61;&#x3b;&#x26;&#x23;&#x78;&#x36;  
&#x31;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x36;&#x3b;&#x26;&#x23;&#x78;  
&#x36;&#x31;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x33;&#x3b;&#x26;&#x23;  
&#x78;&#x36;&#x33;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x32;&#x3b;&#x26;  
&#x23;&#x78;&#x36;&#x39;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x30;&#x3b;  
&#x26;&#x23;&#x78;&#x37;&#x34;&#x3b;&#x26;&#x23;&#x78;&#x33;&#x61;  
&#x3b;&#x26;&#x23;&#x78;&#x36;&#x31;&#x3b;&#x26;&#x23;&#x78;&#x36;  
&#x63;&#x3b;&#x26;&#x23;&#x78;&#x36;&#x35;&#x3b;&#x26;&#x23;&#x78;  
&#x37;&#x32;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x34;&#x3b;&#x26;&#x23;  
&#x78;&#x32;&#x38;&#x3b;&#x26;&#x23;&#x78;&#x33;&#x34;&#x3b;&#x26;  
&#x23;&#x78;&#x33;&#x32;&#x3b;&#x26;&#x23;&#x78;&#x32;&#x39;&#x3b;>  
  
This will be decoded by the html_entity_decode() function in line 459 to  
the string  
  
<img src=&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;  
&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x34;&#x32;&#x29;>  
  
The value of the "src" attribute will not be recognized by the filtering  
attempts following the decoding in the cleanHTML() function.  
  
A message with such an image tag in the body will trigger the JavaScript  
and open a popup box if the browser supports "javascript:" attribute  
values in image elements' "src" attributes. This particular proof of  
concept works with Internet Explorer 6, the newest Firefox will not  
execute the JavaScript.  
  
  
Workaround  
==========  
  
Users can disable the HTML message view in their configuration, so emails  
are only displayed as plaintext.  
  
  
Fix  
===  
  
Upgrade to version 9.4.2.  
  
  
Security Risk  
=============  
  
The risk of this vulnerability is estimated as high. Attackers have the  
possibility to execute arbitrary JavaScript code in users' browsers and  
are thereby able to steal, for example, the users' session IDs. Users  
also cannot disallow JavaScript, as it is needed by the application  
itself to work properly.  
  
  
History  
=======  
  
2009-03-23 Vulnerabilities identified during a penetration test  
2009-04-01 Meeting with customer and vendor  
2009-04-28 CVE number assigned  
2009-05-05 Vendor publishes fixed version  
2009-05-05 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`