Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

IceWarp: Cross-Site Scripting in Notes for Contacts

During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to user-assisted cross-site scripting attacks in its contact module. If IceWarp users import a manipulated vcard, for example from an email, attackers can run arbitrary JavaScript code in the users’ browsers.

Details

  • Product: IceWarp WebMail Server
  • Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
  • Fixed Versions: IceWarp 12.2.1.1
  • Vulnerability Type: Cross-Site Scripting
  • Security Risk: high
  • Vendor URL: http://www.icewarp.com/
  • Vendor Status: patch available
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-015
  • Advisory Status: published
  • CVE: CVE-2019-19265
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19265

Introduction

“Secure professional email with own domain and revolutionary integration with chat. Shared calendars for perfect planning.” (from the vendor’s homepage)

More Details

IceWarp allows users to import contacts in vcard format (https://tools.ietf.org/html/rfc6350) from emails. These contacts can contain HTML notes as can be seen by exporting notes created by IceWarp. The following line shows such a note:

X-ALT-NOTE;FMTTYPE=text/html:<h1>RedTeam Pentesting</h1>

By inserting JavaScript here, a cross-site scripting vulnerability can be exploited if an IceWarp user imports such a manipulated contact into IceWarp. The property handling for the HTML formatted note “X-ALT-NOTE” and “FMTTYPE” is not defined in the vcard (https://tools.ietf.org/html/rfc6350) standard, but is borrowed from the calendar file format ical (https://tools.ietf.org/html/rfc2445). Originally, the vcard standard uses the property “NOTE”. This field can be used to exploit a cross-site scripting in IceWarp, too.

Proof of Concept

Send an IceWarp user one of the following vcards:

BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
X-ALT-NOTE;FMTTYPE=text/html:<img style="display: none\;" src="x" onerror="alert('RedTeam Pentesting')">
EMAIL;TYPE=INTERNET,PREF:testuser1@example.com
END:VCARD

or

BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
NOTE:<img style="display: none\;" src="x" onerror="alert('RedTeam Pentesting')">
EMAIL;TYPE=INTERNET,PREF:testuser1@example.com
END:VCARD

Workaround

None known.

Fix

Update to IceWarp 12.2.1.1.

Security Risk

Attackers without an account on the IceWarp system can send specially crafted vcard (https://tools.ietf.org/html/rfc6350) files to IceWarp users. If an IceWarp user imports that new contact into the IceWarp web application a cross-site scripting vulnerability can be exploited. That could, for example, be used to display a fake login form and get access to the user’s credentials, or to access any data stored in IceWarp such as emails, contacts, tasks, files or appointments. Access to these could be abused to exploit the vulnerability described in rt-sa-2019-016 (https://www.redteam-pentesting.de/advisories/rt-sa-2019-016). This is considered to pose a high risk.

Timeline

  • 2019-11-11 Vulnerability identified
  • 2019-11-15 Vendor notified
  • 2019-11-22 Customer approved disclosure
  • 2019-11-25 CVE number requested
  • 2019-11-25 CVE number assigned
  • 2019-12-02 Vendor released fixed version
  • 2019-12-10 Customer approved disclosure
  • 2019-12-13 Fixed version released
  • 2020-01-02 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/