Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtCatatonicprime1337DAY-ID-19596
HistoryOct 19, 2012 - 12:00 a.m.

Campaign Enterprise 11 SQL Injection / Unauthorized Access

2012-10-1900:00:00
catatonicprime
0day.today
46

EPSS

0.021

Percentile

89.3%

JSON

Campaign Enterprise 11 suffers from multiple remote SQL injection, unauthorized access, clear text password storage, and direct access bypass vulnerabilities.
CVE-2012-3820, CVE-2012-3821, CVE-2012-3822, CVE-2012-3823, CVE-2012-3824

Overview
===============
Campaign Enterprise 11, by ArialSoftware (www.arialsoftware.com), "is
a mass email system you install on your own computer or server,  is
accessible using a web browser inside and/or outside your network, is
only a one-time cost, and has the best US-based tech support
available."

Multiple vulnerabilities were discovered in the "standard" software
package (other's were not assessed) <= v11.0.538.

Analysis
===============
For more information on the analysis and how the vulnerabilities were
discovered, I've setup a blog post covering the subject in greater
detail:
http://sadgeeksinsnow.blogspot.com/2012/10/my-first-experiences-bug-hunting-part-2.html

Timeline
===============

06/29/2011 - Discovered multiple bugs in an product vendor's application
06/29/2012 - Disclosure of details to product vendor & CVE assignment
10/08/2012 - Product vendor released patch for all all CVEs (v11.0.551)
10/18/2012 - Public disclosure to Bugtraq

CVE(s)
===============

CVE-2012-3820: Multiple SQL Injection: activate.asp – SerialNumber
field, User-Edit.asp – UID field

CVE-2012-3821: Unauthorized access to the activate.asp page, allows
modification of stored database field SerialNumber without
authentication or authorization.

CVE-2012-3822: Unauthorized access to the User-Edit.asp page, allows
attacker to enumerate users and their credentials by supplying their
UID in the querystring.

CVE-2012-3823: The product has stores passwords in clear text and
these may be retrieved  using the User-Edit.asp page.

CVE-2012-3824: Multiple pages accessible without authentication or
authorization which may lead to the unintended disclosure of
information or functionality but was not assessed. Register.asp,
Group-Edit.asp, Subscriber-Edit.asp, SMTP-Edit.asp, Email-Edit.asp,
Admin-GlobalConfig.asp, Admin-Users.asp, Campaign-Datasource.asp

Remediation
===============

Update to the current version of Campaign Enterprise 11, v11.0.551.



#  0day.today [2018-03-09]  #

Related

openvas 1
securityvulns 1
cvelist 5
prion 5
cve 5
nvd 5
openvas
openvas
Campaign Enterprise <= 11.0.538 Multiple Security Vulnerabilities - Active Check
2012-10-22 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-10-22 00:00:00
cvelist
cvelist
CVE-2012-3822
2020-01-10 16:49:44
CVE-2012-3820
2014-08-14 14:00:00
CVE-2012-3821
2020-01-10 19:21:51
prion
prion
Command injection
2020-01-10 17:15:00
Sql injection
2014-08-14 14:55:00
Security feature bypass
2020-01-10 20:15:00
cve
cve
CVE-2012-3822
2020-01-10 17:15:13
CVE-2012-3820
2014-08-14 14:55:04
CVE-2012-3821
2020-01-10 20:15:14
nvd
nvd
CVE-2012-3822
2020-01-10 17:15:13
CVE-2012-3820
2014-08-14 14:55:04
CVE-2012-3821
2020-01-10 20:15:14

EPSS

0.021

Percentile

89.3%

JSON
Related for 1337DAY-ID-19596
openvas1securityvulns1cvelist5prion5cve5nvd5