ICEWARP Multiple Clients, Persistent Cross Site Scripting (XSS)

[Re-post] Original Post, posted on: 15th Feb, 2014 on Xc0re blog.

While going through the Icewarp client I found that  it is possible to inject malicious HTML Element tags into the email and cause a Cross site Scripting (XSS) payload to be executed.

The versions that I tested on, were  :

  • 11.0.0.0 (2014-01-25) x64  (http://demo.icewarp.com/)
  • 10.3.4

————–

The details about the POC are as follows :

It was observed that the ICEWARP Client Version 10.3.4 is vulnerable to tag as well as tag.  Any attacker can create a specially crafted message and inject it into the Signature and as soon as the signature is loaded it will execute the XSS payload.

The Latest ICEWARP Client version 11.0.0 was tested on ICEWARPs own website : demo.icewarp.com and was observed that it filters the tag but does not filter the tag thus allowing the injection of malicious payload into the Signature portion and as soon as the signature is selected , it executes the payload. On further testing it was found that the vulnerability found in this version  can not qualify as a complete persistent vulnerability but in order to attack one has to use social engineering for the person to paste and execute.

Once the XSS payload was embedded , it always executed when the compose email was clicked but once the email was saved as draft , the payload disappeared.  It was noticable that in the signature box when we embedded >alert(1); , it got filtered immediately and never carried to the compose email but with Embed and Object tag it did execute on the compose email level.

Proof Of Concept
=================

Can be found here:—–