Open Redirection Vulnerability on IceWarp WebClient Product.- CVE-2023–40779.
Dear Folks,
Hi, I am Muthumohanprasath, an Independent Security Researcher.
This blog is about how I found the Open Redirection on the IceWarp Mail Server Deep Castle 2 v.13.0.1.2 which allows the attacker to perform the Open Redirection attack.
What is Open Redirection Vulnerability?
Open redirect is a vulnerability that can be used to manipulate the application to redirect users to a different URL other than the one that’s intended.
This can be done by manipulating the URL to include the parameters that redirect the user to a different URL.
Affected Product and Its Version: IceWarp Mailserver IceWarp Server Deep Castle 2 update 1, (13.0.1.2) — IceWarp Server Deep Castle 2 update 1, (13.0.1.2)
CVE Assigned on this Vulnerability — CVE-2023–40779
Impact of this Vulnerability:
A legitimate user can be tricked and redirected to attacker-controlled domain website by successfully exploiting the open redirection vulnerability.
Detail Explanation of how I found this Vulnerability.
Step 01: Searched the internet for the subdomains which is using the IceWarp WebClient
As a result, I found one subdomain of a website — https://mail.cnto.com.sg/
As you can see the below image,
As you can see the above image, this subdomain — https://mail.cnto.com.sg is using the IceWarp Webclient 2023.
Step 02: I started to fuzz the URL of this application for the Open Redirection Vulnerability.
When I tried the basic URL path based Open Redirection payload, it was not redirecting.
Then after spending some time, I finally crafted the encoded payload for the Open Redirection.
The crafted encoded payload for open Redirection vulnerability is — /%5cexample.com/%2f%2e%2e.
Now just embed this payload on the subdomain which uses the IceWarp Webclient.
The Crafted final POC URL will be — https://mail.cnto.com.sg/%5cexample.com/%2f%2e%2e
Now open this above crafted URL on the browser, you will get redirected to the example.com website.
Here I have used “example.com” as a website where I wanted to redirect the users.
As you can see the below POC, I have given the payload on the URL.
Now just click enter to send the request to the crafted URL.
As you can see the below image POC, as soon as the user clicks enter — The victim will gets redirected to the example.com website.
Thus, it confirms that this IceWarp Mailserver IceWarp Server Deep Castle 2 update 1, (13.0.1.2) version is vulnerable to Open Redirection Vulnerability.
Author of this CVE:
Muthumohanprasath R
Linkedin Profile: https://www.linkedin.com/in/muthumohanprasath-r-264737147/