Knowledgebase:
Vulnerabilities in IceWarp Server 10.4.5
Posted by Tonda Prukl, Last modified by Tonda Prukl on 25 June 2013 08:24 AM
We have been recently reported about vulnerabilities in IceWarp Server 10.4.5. There have been 2 types of potential issues:

1. the more problematic one (but quite difficult to misuse) in html/rpc scripts - potential attacker may get content of a file on a server providing that he would know path 
to that file. 

2. cross-site scripting (XSS) in WebClient Tablet interface + in public calendar (html/webmail/calendar) - this one has smaller impact as potential attacker would have to
 send malformatted URL pointing to webmail that would execute some javascript code only if user opens that URL.

Workaround

Customers who already run IceWarp Server 10.4.5 may simply rename the current /html folder and replace it with the one found at the URL below:
 http://www.icewarp.com/download/patches/10.4.5/html.zip

Customers on older versions are strictly recommended to upgrade to IceWarp Server 10.4.5-1 -
 the installers at http://www.icewarp.com/downloads/ have already been repacked with the patched scripts.

Credits

Vulnerability has been reported by SEC Consult Vulnerability Lab


(9 vote(s))
Helpful
Not helpful

Comments (0)