The following advisory describes three (3) vulnerabilities in Icewarp, AfterLogic and MailEnable Webmails.
The three vulnerabilities found are:
- Afterlogic Webmail code injection
- Icewarp Webmail code injection
- MailEnable Webmail code injection
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
AfterLogic has released patch to address the vulnerability – we have no information on which version addresses this, we believe the latest version of AfterLogic includes patches for the vulnerability.
IceWarp has released patch to address the vulnerability – version 11.4.0.
We notified MailEnable of the vulnerabilities back in November 2015, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.
Afterlogic Webmail code injection
The vulnerability occurs in login.aspx file. Afterlogic Webmail do not sanitize user input parameter LanguageID, allowing for code injection.
<a href="demo.test.com/Mondo/lang/sys/login.aspx?LanguageID=EN55341'%3balert(document.cookie)%2f%2f939&UserID=test@test&Password=demo&Method=Auto&skin=Pacific&offset=180">Visit our HTML tutorial</a>
Icewarp Webmail code injection
Proof of Concept
Insert the next script into the “note” section in the calender’s event:
"><img src=x onerror=prompt(1);>
MailEnable Webmail code injection
The vulnerability occurs when an HTML file is uploaded to the file repository. MailEnable Webmail don’t sanitize file content, an attacker can upload a file with malicious code, for example httponly document.cookie to repository. The victim will click the file and the malicious code will run.
Proof of Concept
Create an HTML file with the following content: