The Spiderlabs team at Trustwave published a new advisory today which detail issues discovered in the IceWarp Mail Server. IceWarp Mail Server solution supports SMTP, POP & IMAP standards and integrates anti-virus and anti-spam protection for email users. Administrators can manage their own email server with a GUI interface and remote users can access their email with a web 2.0 WebClient or Outlook. The issues in question were discovered while a penetration test was being performed for a Trustwave client.
The xml external entity injection and the php information disclosure was discovered by David Kirkpatrick who is a member of the SpiderLabs Network Penetration Testing team. David found that injecting a XML DOCTYPE "SYSTEM" directive when unauthenticated allowed local access to files on the operating system where the IceWarp Server is installed. He also discovered that the phpinfo() function was accessible and thus the version and configuration settings could be obtained. IceWarp was very responsive and managed to include these fixes in the September 19th release (version 10.3.3.).
For additional information, please view the full advisory at the following address: