SSD Advisory – Icewarp, AfterLogic and MailEnable Code Injection

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities in Icewarp, AfterLogic and MailEnable Webmails.
The three vulnerabilities found are:

  1. Afterlogic Webmail code injection
  2. Icewarp Webmail code injection
  3. MailEnable Webmail code injection

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Responses
AfterLogic
AfterLogic has released patch to address the vulnerability – we have no information on which version addresses this, we believe the latest version of AfterLogic includes patches for the vulnerability.
IceWarp
IceWarp has released patch to address the vulnerability – version 11.4.0.
MailEnable
We notified MailEnable of the vulnerabilities back in November 2015, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.

Vulnerability Details
Afterlogic Webmail code injection
The vulnerability occurs in login.aspx file. Afterlogic Webmail do not sanitize user input parameter LanguageID, allowing for code injection.

Site.com/Mondo/lang/sys/login.aspxLanguageID=EN55341'%3balert(1)%2f%2f939&UserID=test@test&Password=test&Method=Auto&skin=Pacific&offset=180


Proof of Concept
Send email with the following link:

<a href="demo.test.com/Mondo/lang/sys/login.aspx?LanguageID=EN55341'%3balert(document.cookie)%2f%2f939&UserID=test@test&Password=demo&Method=Auto&skin=Pacific&offset=180">Visit our HTML tutorial</a>

Icewarp Webmail code injection
The vulnerability occurs when injected HTML/Javascript in the body of a calendar note. Once an attacker injected to malicious code to the “event”, anyone that will open the “event” will run the malicious code.
Proof of Concept
Insert the next script into the “note” section in the calender’s event:

 "><img src=x onerror=prompt(1);>



MailEnable Webmail code injection
The vulnerability occurs when an HTML file is uploaded to the file repository. MailEnable Webmail don’t sanitize file content, an attacker can upload a file with malicious code, for example httponly document.cookie to repository. The victim will click the file and the malicious code will run.
Proof of Concept
Create an HTML file with the following content:

<script>alert(document.cookie)</script>