AOH :: HP Unsorted I :: VA3372.HTM

IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader



IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader
IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader




--hHWLQfXTYDoKhP50
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Advisory: IceWarp WebMail Server: User-assisted Cross Site Scripting in
          RSS Feed Reader

During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted Cross Site Scripting
attacks in its RSS feed reader. If attackers control or compromise an
RSS feed users are subscribed to, they can run arbitrary JavaScript code
in the users' browsers by embedding it within the feed.


Details
======
Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Cross Site Scripting
Security Risk: medium
Vendor URL: http://www.icewarp.com/ 
Vendor Status: notified, fixed version released
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-002 
Advisory Status: published
CVE: CVE-2009-1467
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1467 


Introduction
===========
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."

(from the vendor's homepage)


More Details
===========
Users of the IceWarp WebMail Server can add RSS feeds as folders to
their folder list. The parsing of such feeds is done in the PHP file

html/webmail/server/inc/rss/rss.php

The individual items of an RSS channel are handled in

html/webmail/server/inc/rss/item.php

In the function getHTML(), the final HTML page for an item is assembled
and returned. The "title" and "description" keys correspond to the
 and <description> elements in the feed, the "href" key to the
<link> element:

------------------------------------------------------------------------
159   public function getHTML(&$aItem)
160   {
161       $aHTML['title'] = $this->subject;
162       $aHTML['href'] = $this->to;
163       $aHTML['description'] = Tools::cleanHTML($this->body,$base);
164
165       $aURL = parse_url($this->to);
166       $aItem['base'] = $aURL['host'];
167
168       @$sHTML = htmlspecialchars(
                        template('inc/templates/rss.tpl',$aHTML)
                    );
169
170       return $sHTML;
171   }
------------------------------------------------------------------------

Only the description gets sanitised by the cleanHTML() function, "title"
and "href" are embedded unmodified into the final HTML page.

This means that HTML or JavaScript code embedded in an item's <title> or
<link> element of an RSS feed users are subscribed to will be executed
as soon as they click on the item to display it. HTML and JavaScript
code within the <description> element of an item is sanitised, but the
sanitisation can be bypassed in the same way as described in RedTeam
Pentesting's advisory rt-sa-2009-001, "IceWarp WebMail Server: Cross
Site Scripting in Email View".

Attackers have two options for exploiting this vulnerability: First,
they can embed malicious code in a feed they control and convince users
to subscribe to this feed. Second, they can change RSS feeds the users
are already subscribed to by exploiting vulnerabilities in the systems
providing these feeds.


Proof of Concept
===============
The following RSS feed contains JavaScript code in the <title> and
<description> elements that displays a message containing the user's
session ID. This code gets executed when users click on the item to view
it:

------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
    <title>RedTeam Pentesting
    href="http://www.redteam-pentesting.de" 
      rel="self" 
      type="application/rss+xml" />
http://www.redteam-pentesting.de 
    Seeing your network from the attacker's perspective
    Mon, 16 Apr 2009 05:23:42 +0000
    de
    
      <script>alert('Title: Your session id is: ' + window.top=2EsSID);</script>
http://www.redteam-pentesting.de/pentest 
      Mon, 16 Apr 2009 05:23:42 +0000
      
        <div o<xml>nmouseover="alert('Description: Your session id is: ' + window.top.sSID)">
          RedTeam Pentesting XSS
        </div>
      
    
  

------------------------------------------------------------------------


Workaround
=========
None.


Fix
==
Upgrade to version 9.4.2.


Security Risk
============
Attackers who can inject JavaScript code into RSS feeds that users are
subscribed to, or who can get users to subscribe to such RSS feeds, can
execute any JavaScript code on the users' behalf. This will let them
control the web application on a victim user's behalf and access any
information accessible to that user, for example emails and files. It
can also be used to to steal the users' sessions and hijack their
accounts. Therefore the risk is estimated as medium.


History
======
2009-03-23 Vulnerabilities identified during a penetration test
2009-04-01 Meeting with customer and vendor
2009-04-28 CVE number assigned
2009-05-05 Vendor publishes fixed version
2009-05-05 Advisory released


RedTeam Pentesting GmbH
======================
RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks or products are
uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de. 


-- 
RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
Dennewartstr. 25-27                        Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/ 
Germany                         Registergericht: Aachen HRB 14004
Gesch=E4ftsf=FChrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

--hHWLQfXTYDoKhP50
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEVAwUBSgA1ItG/HXWsgFSuAQLEZwf7BRUQECGVqeBNe8gY0/cWeoya0C/Xa/F4
AqDSl6kD+kmJenas4EqU8wz4nE4bgvyU7K/+JeGWIkmhOxMshj5+3xvkc+mQDNLr
wfV88x4p6a2kwZX+VYFAGp3/uWidiScn4abRZ3dNKNrrpmOT+yYX7roZSPDyLS2+
jTF1KVVlTERzB+VDDbZdbJ5z6fEfbKf7tzQPHEQKs9QvdkK4sGcCd2W59qmEMVXn
seEMiQzFaXlDwTCWPHjsJlez4Ns3vEnPHbWclVWlDFxb5N4m7vThkuRyOqa+EnUG
SYXaP1ihRm6WSDR8e+j9Q3oxvPBvaXXKbBg7HgUwziTgtwX2X1pw0A==TKW6
-----END PGP SIGNATURE-----

--hHWLQfXTYDoKhP50--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.