cbcvebase.
CVE-2015-1503
published 2018-05-08

CVE-2015-1503: Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the…

PriorityP266high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
58.72%
99.0th percentile
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
icewarpmail_server< 11.2.011.2.0

Detection & IOCsextracted from sources · hover to see the quote

url/webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd
url/webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd
path/webmail/old/calendar/minimizer/index.php
path/webmail/client/skins/default/css/css.php
url/-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default
otherServer: IceWarp/11.1.1.0
  • Detect directory traversal attempts against IceWarp by monitoring HTTP GET requests to /webmail/old/calendar/minimizer/index.php with 'script' or 'style' parameters containing the ...%2f.%2f traversal sequence.
  • Detect directory traversal attempts against IceWarp by monitoring HTTP GET requests to /webmail/client/skins/default/css/css.php with the 'file' parameter containing ../ sequences (e.g., ../../../../../../../../../../etc/passwd).
  • The obfuscated traversal sequence used is ...%2f.%2f (URL-encoded form of ..././), repeated multiple times to escape the web root. Signature-based detection should account for this non-standard encoding.
  • The vulnerable css.php endpoint path includes a variable installation-specific prefix segment matching the pattern -.._._.--.._ followed by a numeric timestamp (e.g., -.._._.--.._ 1416610368). Shodan/FOFA queries on 'icewarp' titles can identify exposed instances.
  • Exploitation is unauthenticated — no session cookie or credentials are required to trigger the traversal on the minimizer/index.php endpoint.
  • ·The path prefix for the css.php endpoint is installation-dependent and must be discovered from the page source before exploitation; it is not a fixed string.
  • ·The NVD advisory states the fix is in version 11.2, while the exploit-db PoC and Nuclei template reference version 11.1.1 as the patched version — detections should cover all versions below 11.2.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.