*********************************************************

goSecurity - Advisory 2010120602

*********************************************************
Software: IceWarp Mail Server
Date: 06 Dec. 2010
Affected Versions: 10.1.3 (partially), 10.2.0
*********************************************************

Multiple XSS vulnerabilities in IceWarp Webclient

*********************************************************
Summary
-----------
IceWarp Webclient is prone to multiple Cross-Site
Scripting (non-persistent and persistent) vulnerabilities.
All of them must be triggered by HTTP-POST requests.

*********************************************************
Details
--------
Input passed via the following parameters is not properly
sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a
user´s browser session in context of an affected site.

File: http[s]://host/admin/login.html
Parameter: username
Type: persistent XSS
Version: 10.2.0

File: http[s]://host/webmail/basic/
Parameter: _dlg[captcha][controller]
Type: non-persistent XSS
Version: 10.1.3, 10.2.0 (possibly all 10.x versions <=10.2.0)

File: http[s]://host/webmail/basic/
Parameter: _dlg[captcha][action]
Type: non-persistent XSS
Version: 10.1.3, 10.2.0 (possibly all 10.x versions <=10.2.0)

File: http[s]://host/webmail/basic/
Parameter: _dlg[captcha][uid]
Type: non-persistent XSS
Version: 10.1.3, 10.2.0 (possibly all 10.x versions <=10.2.0)

File: http[s]://host/webmail/
Parameter: password
Type: non-persistent XSS
Version: 10.2.0

*********************************************************
Solution
---------
Upgrade to Version 10.2.1

*********************************************************
Credits
--------
Ron Ott - GO OUT Production GmbH
Mike Schneider - GO OUT Production GmbH
Thomas Wittmann - Wittmann Security Consulting

*********************************************************
Timeline (CET)
-----------------

18/11/10 Vulnerabilities discovered and confirmed with
multiple installations of IceWarp Webclient
10.1.3 and 10.2
19/11/10 First contact with vendor
23/11/10 Confirmed by vendor
24/11/10 Fixed by vendor
29/11/10 Customer information by vendor
06/12/10 Coordinated release with vendor

*********************************************************