Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » IceWarp Webmail XSS

IceWarp Webmail XSS

by Nikola Strahija on August 16th, 2002 IceWarp Webmail is a nice webmail daemon that "is a full featured top quality web mail solution which works with any mail server and lets you access your email office remotely from any browser on the Internet or your local network" (IceWarp.com). Web Mail runs on Windows XP/2000/NT/9X/ME, supports SMTP/POP3/IMAP4/HTTP Internet protocols and has a spell checker, remote web administration, any attachment support, private and shared address books, groups, signatures, multiple mail server support and many other powerful options (IceWarp.com). According to their site it was first officially released on March 6, 2000.


Problem:
IceWarp has a nifty little feature where your address book appears as a
dropdown menu next to the message's "To:", "Cc:", and "Bcc:" fields which
allows sending a message to a contact in your address book very easy. When
IceWarp loads your address book into these dropdown menus it doesn't
sanitize the "Full Name" segment so malicous code (or any code, I don't
care) can be placed into this field and it will be executed whenever the
user loads the page to write a new message. However, since the dropdown menu
appears thrice (beside each field) the code will execute 3 times.
One problem with providing a link to automatically enter this data into the
address book is that IceWarp uses ID numbers to keep track of the logged in
user. If you do not know this number then IceWarp lists the user as not
logged in. Therefore it becomes more difficult to execute a XSS attack. This
number is randomly generated (I think), and changes everytime the user logs
in. This number can be seen in the URL or many places in the code of the
page.

Code from inbox:

http://:32000/mail/readmail.html?folder=inbox&get=1&id=e
68972360786c64b3aa14dc0f60b1aa6
You can see the ID number listed beside 'id='

Exploit (almost):
A URL can be crafted easily which will fill in the values on the 'Add
Address' page just by viewing the code. The one I used is as follows:
NOTE: I used some encoding for the spaces but none was necessary for the
page I tested on. However, encoding the entire URL would be a good way to
disguise the intentions of it.

http://:32000/mail/addressaction.html?id=&newaddress=1&addressname=alert('DarCNesS%20Overwhelms')[email protected]

The problem with this is that it will go to the page (if you know the ID#),
and fill in the required fields. However it will not submit the form. I'll
leave this for someone else to figure out. An easier way would be if the
page used CGI or PHP where the form could be submitted solely through the
URL and then redirect to another site etc...
But, as far as I have found, all the transactions are handled by an
executable file rather than scripts.
Another problem is that instead of cookies IceWarp uses ID numbers which
reduces the chances of our URL working (because we need to have their ID
number and they must still be in that session).

Vendor Action:
I notified IceWarp about 1 A.M. and Adam of IceWarp replied by noon. His
response was composed of the following:
"Hello Cameron, Ok.. I send your notice to our developers. Thanks"
and that was the last I've heard from them.
::shrug:: at least he was prompt about it.

Aftermath:
It seems to me this has all the normal dangers of a XSS hole so listing
them seems pointless (I'm sure we've all seen them). If someone develops a
way to submit the form through the URL or by bypassing the form altogether
I'd definitly like to see how you did it. Same thing if someone expands this
idea to include other/larger possibilites.
Later on, and have fun,


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »