exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SpamTitan 5.12 / 5.13 XSS / SQL Injection / Command Execution

SpamTitan 5.12 / 5.13 XSS / SQL Injection / Command Execution
Posted Oct 15, 2013
Authored by V. Paulikas | Site sec-consult.com

SpamTitan versions 5.12 and 5.13 suffer from cross site scripting, remote SQL injection, and remote command execution vulnerabilities.

tags | advisory, remote, vulnerability, xss, sql injection
SHA-256 | c16fe3abb595efe32f0b1b5fbd0ed00f77d61323e36a85f09c6a47b6c4b28d50

SpamTitan 5.12 / 5.13 XSS / SQL Injection / Command Execution

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20131015-0 >
title: Multiple vulnerabilities in SpamTitan
product: SpamTitan
vulnerable version: <=5.12, 5.13 is likely to be affected too
fixed version: 6.00
impact: Critical
homepage: http://www.spamtitan.com/
found: 2013-05-08
by: V. Paulikas
SEC Consult Vulnerability Lab

Vendor description:
"SpamTitan Technologies is a global provider of sophisticated enterprise-level
email security solutions, offering small and medium sized businesses the most
comprehensive protection from email threats, including spam, viruses, Trojans,
phishing, malware and other unwanted content. Our anti spam product was
launched in 2006. Today, we offer different deployment options of SpamTitan:
ISO, VMware and on Demand (cloud based appliance)."


Business recommendation:
All discovered vulnerabilities can be exploited _without_ authentication and
therefore pose a highly critical security risk as the remote command execution
vulnerability can be used for compromising the server. Moreover, SQL injection
allows accessing the database records, such as usernames and hashed passwords
of the management interface.

The scope of the test, where the vulnerabilities have been identified, was a
very short evaluation crash-test which the software utterly failed. It is
assumed that further critical vulnerabilities exist within this product!

The recommendation of SEC Consult is to immediately switch off
existing SpamTitan systems until further security measures (vendor patch) and
thorough follow-up security tests have been implemented and performed.

Vulnerability overview/description:
1) Cross-Site Scripting

The web GUI is prone to the reflected Cross-Site Scripting attacks. The
vulnerability can be used to include HTML or JavaScript code to the affected
web page. The code is executed in the browser of users if they visit the
manipulated site.

2) SQL Injection

The web GUI is prone to unauthenticated SQL injection. The vulnerability can
be used to access data, such as usernames and MD5 hashed passwords of the web
application users, stored in the database of SpamTitan.

3) Remote command execution

Due to insufficient input validation, the web GUI fails to properly filter
malicious user input passed from the user side. This leads to unauthenticated
OS command injection with the privileges of the web server. By exploiting this
vulnerability, an attacker can read/write files, open connections, etc. posing
a critical security risk.

Proof of concept:

1) The login form of the web GUI is vulnerable to reflected Cross-Site Scripting.
The supplied email address value is reflected without proper validation and
executed in the context of the web browser.

[The PoC URL has been removed from this advisory]

2) The parameter sortkey of the setup-relay-x.php script is vulnerable to a SQL
Injection vulnerability:

[The PoC URL has been removed from this advisory]

3) Due to improper user input validation it is possible to inject arbitrary
operating system commands enclosed in backticks (`). The parameter ldapserver
of the aliases-x.php script is affected by this vulnerability.

[The PoC URL has been removed from this advisory]

Vulnerable / tested versions:
The vulnerabilities have been verified to exist in the SpamTitan's VMWare
Appliance version 5.12, which was the most recent version at the time of
SEC Consult did not test the interim release 5.13, it is assumed that it is
vulnerable too.

Vendor contact timeline:
2013-06-07: Contacted vendor through info@spamtitan.com, no response
2013-06-26: Contacted vendor again through helpdesk@spamtitan.com, no response
2013-07-17: Sending deadline for advisory release to vendor via
info@spamtitan.com, helpdesk@spamtitan.com
2013-07-17: Initial vendor response
2013-07-17: Forwarding security advisory to vendor
2013-07-17: Vendor acknowledges that the advisory was received
2013-07-17: Requesting the date of the patch
2013-07-17: Vendor responds with the end of September as patch release date
2013-09-09: Requesting patch status update
2013-09-11: Vendor reacknowledges end of September as patch release date
2013-09-30: Requesting patch status update
2013-09-30: Vendor responds with a delayed patch release date
2013-10-14: Requesting patch status update
2013-10-14: Vendor acknowledges that security patches and new version of the
product (v6) are available
2013-10-15: SEC Consult releases security advisory

According to the vendor, the new version 6.0 fixes the identified problems. The
new version can be downloaded from their website.


Advisory URL:

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF V. Paulikas / @2013
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By