TITLE: IceWarp Web Mail Multiple Unspecified Vulnerabilities SECUNIA ADVISORY ID: SA12269 VERIFY ADVISORY: http://secunia.com/advisories/12269/ CRITICAL: Moderately critical IMPACT: Unknown, Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information WHERE: >From remote SOFTWARE: IceWarp Web Mail 5.x http://secunia.com/product/3775/ IceWarp Web Mail 1.x http://secunia.com/product/756/ IceWarp Web Mail 2.x http://secunia.com/product/757/ IceWarp Web Mail 3.x http://secunia.com/product/758/ IceWarp Web Mail 4.x http://secunia.com/product/2283/ DESCRIPTION: Multiple unspecified vulnerabilities have been reported in IceWarp Web Mail, which can potentially be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, access sensitive information, and manipulate the file system. The vendor has provided the following information, which is security related, in the release notes: - HTML validation fix (foldertree) - writemail shortcuts improvement - calendar/note/modify FIX - getusersession secured - CSS attacks calendar.html/notes/foldername accountsettings/add/accountname search/search string address/group name - Making any directories on target system. (logged user) - Full install path disclosure. (guest) - Viewing or downloading any attachments. - Deleting any files on target system. - Moving any files or directories on target system. (guest) - Renaming any files or directories on target system. (logged user) - Security vulerabilities fixed: SQL injection - Security vulerabilities fixed: attachment,schedule/calendar - execute without knowing user's session ID number SOLUTION: Update to version 5.2.8. http://www.icewarp.com/Download/ PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.icewarp.com/Products/IceWarp_Web_Mail/releasenotes_webmail.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------