CVE-2015-1503
published 2018-05-08CVE-2015-1503: Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the…
PriorityP266high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
58.72%
99.0th percentile
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icewarp | mail_server | < 11.2.0 | 11.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd↗
url/webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd↗
url/-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default↗
- →Detect directory traversal attempts against IceWarp by monitoring HTTP GET requests to /webmail/old/calendar/minimizer/index.php with 'script' or 'style' parameters containing the ...%2f.%2f traversal sequence. ↗
- →Detect directory traversal attempts against IceWarp by monitoring HTTP GET requests to /webmail/client/skins/default/css/css.php with the 'file' parameter containing ../ sequences (e.g., ../../../../../../../../../../etc/passwd). ↗
- →The obfuscated traversal sequence used is ...%2f.%2f (URL-encoded form of ..././), repeated multiple times to escape the web root. Signature-based detection should account for this non-standard encoding. ↗
- →The vulnerable css.php endpoint path includes a variable installation-specific prefix segment matching the pattern -.._._.--.._ followed by a numeric timestamp (e.g., -.._._.--.._ 1416610368). Shodan/FOFA queries on 'icewarp' titles can identify exposed instances. ↗
- →Exploitation is unauthenticated — no session cookie or credentials are required to trigger the traversal on the minimizer/index.php endpoint. ↗
- ·The path prefix for the css.php endpoint is installation-dependent and must be discovered from the page source before exploitation; it is not a fixed string. ↗
- ·The NVD advisory states the fix is in version 11.2, while the exploit-db PoC and Nuclei template reference version 11.1.1 as the patched version — detections should cover all versions below 11.2. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IceWarp Mail Server < 11.1.1 - Directory Traversal
exploitdb·2018-05-04·CVSS 7.5
CVE-2015-1503 [HIGH] IceWarp Mail Server < 11.1.1 - Directory Traversal
IceWarp Mail Server < 11.1.1 - Directory Traversal
---
Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 11.1.1 and below
Product description:
IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.
Finding 1: Multiple Unauthenticated Directory traversal
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1503
CWE: CWE-22
#Proof of Concept
The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET request to the
/webmail/client/skins/default/css/css.php. Directory Traversal
Exploit-DB
abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation
exploitdb·2015-12-01·CVSS 3.6
CVE-2015-5287 [LOW] abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation
abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation
---
#!/usr/bin/python
# CVE-2015-5273 + CVE-2015-5287
# CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too)
# abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage
# rebel 09/2015
# ----------------------------------------
# [user@localhost ~]$ id
# uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# [user@localhost ~]$ cat /etc/redhat-release
# CentOS Linux release 7.1.1503 (Core)
# [user@localhost ~]$ python abrt-centos-fedora.py
# -- lots of boring output, might take a while on a slow connection --
# /var/spool/abrt/abrt-hax-coredump created
# executing crashing process..
# success
# bash-4.2# id
#
Nuclei
IceWarp Mail Server <11.1.1 - Directory Traversal
nuclei·CVSS 7.5
CVE-2015-1503 [HIGH] IceWarp Mail Server <11.1.1 - Directory Traversal
IceWarp Mail Server <11.1.1 - Directory Traversal
IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.
Template:
id: CVE-2015-1503
info:
name: IceWarp Mail Server <11.1.1 - Directory Traversal
author: 0x_Akoko
severity: high
description: IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability.
impact: |
An attacker can access sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
remediation: |
Upgrade IceWarp Mail Server to version 11.1.1 or above to mitigate the directory traversal vulnerability.
reference:
- https://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.html
- http://www.icewarp.com
- https://nvd.nist.gov/vuln
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2015-2327 pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)
bugzilla·2015-11-25·CVSS 7.5
CVE-2015-2327 [HIGH] CVE-2015-2327 pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)
CVE-2015-2327 pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)
A stack-based buffer overflow vulnerability was found in compile_regex(), triggered via crafted regular expression.
Upstream bug (contains reproducer):
https://bugs.exim.org/show_bug.cgi?id=1503
Upstream patch:
http://vcs.pcre.org/pcre?view=revision&revision=1495
CVE request:
http://www.openwall.com/lists/oss-security/2015/05/31/5
Discussion:
Created pcre tracking bugs for this issue:
Affects: fedora-all [bug 1285409]
---
Upstream fixed it in 8.36 version. A reproducer is crash when compiling /(((a\2)|(a*)\g))*a?/BZ expression in pcretest tool.
---
This was fixed with pcre-8.35-4.fc21 in Fedora on 2014-07-14. No supported Fedora is affected now.
http://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.htmlhttps://www.exploit-db.com/exploits/44587/https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614http://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.htmlhttps://www.exploit-db.com/exploits/44587/https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614
2018-05-08
Published