SEC Consult SA-20131015-0 :: Multiple vulnerabilities in SpamTitan


SEC Consult Vulnerability Lab Security Advisory < 20131015-0 > ======================================================================= title: Multiple vulnerabilities in SpamTitan product: SpamTitan vulnerable version: <=5.12, 5.13 is likely to be affected too fixed version: 6.00 impact: Critical homepage: http://www.spamtitan.com/ found: 2013-05-08 by: V. Paulikas SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SpamTitan Technologies is a global provider of sophisticated enterprise-level email security solutions, offering small and medium sized businesses the most comprehensive protection from email threats, including spam, viruses, Trojans, phishing, malware and other unwanted content. Our anti spam product was launched in 2006. Today, we offer different deployment options of SpamTitan: ISO, VMware and on Demand (cloud based appliance)." http://www.spamtitan.com/ Business recommendation: ------------------------ All discovered vulnerabilities can be exploited _without_ authentication and therefore pose a highly critical security risk as the remote command execution vulnerability can be used for compromising the server. Moreover, SQL injection allows accessing the database records, such as usernames and hashed passwords of the management interface. The scope of the test, where the vulnerabilities have been identified, was a very short evaluation crash-test which the software utterly failed. It is assumed that further critical vulnerabilities exist within this product! The recommendation of SEC Consult is to immediately switch off existing SpamTitan systems until further security measures (vendor patch) and thorough follow-up security tests have been implemented and performed. Vulnerability overview/description: ----------------------------------- 1) Cross-Site Scripting The web GUI is prone to the reflected Cross-Site Scripting attacks. The vulnerability can be used to include HTML or JavaScript code to the affected web page. The code is executed in the browser of users if they visit the manipulated site. 2) SQL Injection The web GUI is prone to unauthenticated SQL injection. The vulnerability can be used to access data, such as usernames and MD5 hashed passwords of the web application users, stored in the database of SpamTitan. 3) Remote command execution Due to insufficient input validation, the web GUI fails to properly filter malicious user input passed from the user side. This leads to unauthenticated OS command injection with the privileges of the web server. By exploiting this vulnerability, an attacker can read/write files, open connections, etc. posing a critical security risk. Proof of concept: ----------------- 1) The login form of the web GUI is vulnerable to reflected Cross-Site Scripting. The supplied email address value is reflected without proper validation and executed in the context of the web browser. [The PoC URL has been removed from this advisory] 2) The parameter sortkey of the setup-relay-x.php script is vulnerable to a SQL Injection vulnerability: [The PoC URL has been removed from this advisory] 3) Due to improper user input validation it is possible to inject arbitrary operating system commands enclosed in backticks (`). The parameter ldapserver of the aliases-x.php script is affected by this vulnerability. [The PoC URL has been removed from this advisory] Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the SpamTitan's VMWare Appliance version 5.12, which was the most recent version at the time of discovery. SEC Consult did not test the interim release 5.13, it is assumed that it is vulnerable too. Vendor contact timeline: ------------------------ 2013-06-07: Contacted vendor through info@spamtitan.com, no response 2013-06-26: Contacted vendor again through helpdesk@spamtitan.com, no response 2013-07-17: Sending deadline for advisory release to vendor via info@spamtitan.com, helpdesk@spamtitan.com 2013-07-17: Initial vendor response 2013-07-17: Forwarding security advisory to vendor 2013-07-17: Vendor acknowledges that the advisory was received 2013-07-17: Requesting the date of the patch 2013-07-17: Vendor responds with the end of September as patch release date 2013-09-09: Requesting patch status update 2013-09-11: Vendor reacknowledges end of September as patch release date 2013-09-30: Requesting patch status update 2013-09-30: Vendor responds with a delayed patch release date 2013-10-14: Requesting patch status update 2013-10-14: Vendor acknowledges that security patches and new version of the product (v6) are available 2013-10-15: SEC Consult releases security advisory Solution: --------- According to the vendor, the new version 6.0 fixes the identified problems. The new version can be downloaded from their website. Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF V. Paulikas / @2013