SEC Consult Vulnerability Lab Security Advisory < 20131015-0 >
=======================================================================
title: Multiple vulnerabilities in SpamTitan
product: SpamTitan
vulnerable version: <=5.12, 5.13 is likely to be affected too
fixed version: 6.00
impact: Critical
homepage: www.spamtitan.com
found: 2013-05-08
by: V. Paulikas
SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"SpamTitan Technologies is a global provider of sophisticated enterprise-level
email security solutions, offering small and medium sized businesses the most
comprehensive protection from email threats, including spam, viruses, Trojans,
phishing, malware and other unwanted content. Our anti spam product was
launched in 2006. Today, we offer different deployment options of SpamTitan:
ISO, VMware and on Demand (cloud based appliance)."
Business recommendation:
------------------------
All discovered vulnerabilities can be exploited _without_ authentication and
therefore pose a highly critical security risk as the remote command execution
vulnerability can be used for compromising the server. Moreover, SQL injection
allows accessing the database records, such as usernames and hashed passwords
of the management interface.
The scope of the test, where the vulnerabilities have been identified, was a
very short evaluation crash-test which the software utterly failed. It is
assumed that further critical vulnerabilities exist within this product!
The recommendation of SEC Consult is to immediately switch off
existing SpamTitan systems until further security measures (vendor patch) and
thorough follow-up security tests have been implemented and performed.
Vulnerability overview/description:
-----------------------------------
1) Cross-Site Scripting
The web GUI is prone to the reflected Cross-Site Scripting attacks. The
vulnerability can be used to include HTML or JavaScript code to the affected
web page. The code is executed in the browser of users if they visit the
manipulated site.
2) SQL Injection
The web GUI is prone to unauthenticated SQL injection. The vulnerability can
be used to access data, such as usernames and MD5 hashed passwords of the web
application users, stored in the database of SpamTitan.
3) Remote command execution
Due to insufficient input validation, the web GUI fails to properly filter
malicious user input passed from the user side. This leads to unauthenticated
OS command injection with the privileges of the web server. By exploiting this
vulnerability, an attacker can read/write files, open connections, etc. posing
a critical security risk.
Proof of concept:
-----------------
1) The login form of the web GUI is vulnerable to reflected Cross-Site Scripting.
The supplied email address value is reflected without proper validation and
executed in the context of the web browser.
[The PoC URL has been removed from this advisory]
2) The parameter sortkey of the setup-relay-x.php script is vulnerable to a SQL
Injection vulnerability:
[The PoC URL has been removed from this advisory]
3) Due to improper user input validation it is possible to inject arbitrary
operating system commands enclosed in backticks (`). The parameter ldapserver
of the aliases-x.php script is affected by this vulnerability.
[The PoC URL has been removed from this advisory]
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the SpamTitan's VMWare
Appliance version 5.12, which was the most recent version at the time of
discovery.
SEC Consult did not test the interim release 5.13, it is assumed that it is
vulnerable too.
Vendor contact timeline:
------------------------
2013-06-07: Contacted vendor through info@spamtitan.com, no response
2013-06-26: Contacted vendor again through helpdesk@spamtitan.com, no response
2013-07-17: Sending deadline for advisory release to vendor via
info@spamtitan.com, helpdesk@spamtitan.com
2013-07-17: Initial vendor response
2013-07-17: Forwarding security advisory to vendor
2013-07-17: Vendor acknowledges that the advisory was received
2013-07-17: Requesting the date of the patch
2013-07-17: Vendor responds with the end of September as patch release date
2013-09-09: Requesting patch status update
2013-09-11: Vendor reacknowledges end of September as patch release date
2013-09-30: Requesting patch status update
2013-09-30: Vendor responds with a delayed patch release date
2013-10-14: Requesting patch status update
2013-10-14: Vendor acknowledges that security patches and new version of the
product (v6) are available
2013-10-15: SEC Consult releases security advisory
Solution:
---------
According to the vendor, the new version 6.0 fixes the identified problems. The
new version can be downloaded from their website.
Workaround:
-----------
None
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF V. Paulikas / @2013