The Spiderlabs team at Trustwave published a new advisory today which detail issues discovered in the IceWarp Mail Server. IceWarp Mail Server solution supports SMTP, POP & IMAP standards and integrates anti-virus and anti-spam protection for email users. Administrators can manage their own email server with a GUI interface and remote users can access their email with a web 2.0 WebClient or Outlook. The issues in question were discovered while a penetration test was being performed for a Trustwave client.
The xml external entity injection and the php information disclosure was discovered by David Kirkpatrick who is a member of the SpiderLabs Network Penetration Testing team. David found that injecting a XML DOCTYPE "SYSTEM" directive when unauthenticated allowed local access to files on the operating system where the IceWarp Server is installed. He also discovered that the phpinfo() function was accessible and thus the version and configuration settings could be obtained. IceWarp was very responsive and managed to include these fixes in the September 19th release (version 10.3.3.).
ABOUT LEVELBLUE
LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.
