HYSA-2006-003 Oi! Email Marketing 3.0 SQL Injection

2006-02-2400:00:00

vulners.com

  HYSA-2006-003 h4cky0u.org Advisory 012

Date - Thu Feb 24 2006

TITLE:

Oi! Email Marketing 3.0 SQL Injection

SEVERITY:

High

SOFTWARE:

Oi! Email Marketing 3.0. Prior versions maybe affected

INFO:

Oi Email Marketing System is a Linux compatible application that can be a stand-alone product or can be
integrated into Mambo 2002 content management system. It uses a powerful database which resides on your
webserver and allows complete control over all your subscribers, campaigns and emails.

Support Website : www.miro.com.au

DESCRIPTION:

Oi Email Marketing System is prone to an SQL injection vulnerability. This issue is due to a failure in the
index.php script of the application to properly sanitize user-supplied input before using it in SQL queries.

Successful exploitation could result in a compromise of the application, disclosure or modification of data,
or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

POC:

First go to http://www.site.com/oi/index.php

In this login page provide the following inputs:

Username : username' OR '

Password : ' OR '

Note : here username should be a valid user registered on the site (generally admin)

Also, if a 'superadministrator'login is found and sucessfully exploited the server's
ftp password can be found by clicking 'Configuration' and viewing the pages source:

(It's hidden by *)

<TD CLASS="dialogue_heading">Password</TD>
<TD><input type="password" name="ftpPassword" value="password"></TD>