Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30184
HistoryJan 08, 2014 - 12:00 a.m.

SEC Consult SA-20131015-0 :: Multiple vulnerabilities in SpamTitan

2014-01-0800:00:00
vulners.com
27
JSON

SEC Consult Vulnerability Lab Security Advisory < 20131015-0 >

          title: Multiple vulnerabilities in SpamTitan 
        product: SpamTitan

vulnerable version: <=5.12, 5.13 is likely to be affected too
fixed version: 6.00
impact: Critical
homepage: http://www.spamtitan.com/
found: 2013-05-08
by: V. Paulikas
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor description:

"SpamTitan Technologies is a global provider of sophisticated enterprise-level
email security solutions, offering small and medium sized businesses the most
comprehensive protection from email threats, including spam, viruses, Trojans,
phishing, malware and other unwanted content. Our anti spam product was
launched in 2006. Today, we offer different deployment options of SpamTitan:
ISO, VMware and on Demand (cloud based appliance)."

http://www.spamtitan.com/

Business recommendation:

All discovered vulnerabilities can be exploited without authentication and
therefore pose a highly critical security risk as the remote command execution
vulnerability can be used for compromising the server. Moreover, SQL injection
allows accessing the database records, such as usernames and hashed passwords
of the management interface.

The scope of the test, where the vulnerabilities have been identified, was a
very short evaluation crash-test which the software utterly failed. It is
assumed that further critical vulnerabilities exist within this product!

The recommendation of SEC Consult is to immediately switch off
existing SpamTitan systems until further security measures (vendor patch) and
thorough follow-up security tests have been implemented and performed.

Vulnerability overview/description:

1) Cross-Site Scripting

The web GUI is prone to the reflected Cross-Site Scripting attacks. The
vulnerability can be used to include HTML or JavaScript code to the affected
web page. The code is executed in the browser of users if they visit the
manipulated site.

2) SQL Injection

The web GUI is prone to unauthenticated SQL injection. The vulnerability can
be used to access data, such as usernames and MD5 hashed passwords of the web
application users, stored in the database of SpamTitan.

3) Remote command execution

Due to insufficient input validation, the web GUI fails to properly filter
malicious user input passed from the user side. This leads to unauthenticated
OS command injection with the privileges of the web server. By exploiting this
vulnerability, an attacker can read/write files, open connections, etc. posing
a critical security risk.

Proof of concept:

1) The login form of the web GUI is vulnerable to reflected Cross-Site Scripting.
The supplied email address value is reflected without proper validation and
executed in the context of the web browser.

[The PoC URL has been removed from this advisory]

2) The parameter sortkey of the setup-relay-x.php script is vulnerable to a SQL
Injection vulnerability:

[The PoC URL has been removed from this advisory]

3) Due to improper user input validation it is possible to inject arbitrary
operating system commands enclosed in backticks (`). The parameter ldapserver
of the aliases-x.php script is affected by this vulnerability.

[The PoC URL has been removed from this advisory]

Vulnerable / tested versions:

The vulnerabilities have been verified to exist in the SpamTitan's VMWare
Appliance version 5.12, which was the most recent version at the time of
discovery.
SEC Consult did not test the interim release 5.13, it is assumed that it is
vulnerable too.

Vendor contact timeline:

2013-06-07: Contacted vendor through [email protected], no response
2013-06-26: Contacted vendor again through [email protected], no response
2013-07-17: Sending deadline for advisory release to vendor via
[email protected], [email protected]
2013-07-17: Initial vendor response
2013-07-17: Forwarding security advisory to vendor
2013-07-17: Vendor acknowledges that the advisory was received
2013-07-17: Requesting the date of the patch
2013-07-17: Vendor responds with the end of September as patch release date
2013-09-09: Requesting patch status update
2013-09-11: Vendor reacknowledges end of September as patch release date
2013-09-30: Requesting patch status update
2013-09-30: Vendor responds with a delayed patch release date
2013-10-14: Requesting patch status update
2013-10-14: Vendor acknowledges that security patches and new version of the
product (v6) are available
2013-10-15: SEC Consult releases security advisory

Solution:

According to the vendor, the new version 6.0 fixes the identified problems. The
new version can be downloaded from their website.

Workaround:

None

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF V. Paulikas / @2013
JSON