lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <68cbfab10602231059q6a1ef756h225cafabdfd3d376@mail.gmail.com>
Date: Thu Feb 23 18:59:23 2006
From: h4cky0u.org at gmail.com (h4cky0u)
Subject: HYSA-2006-003 Oi! Email Marketing 3.0 SQL
	Injection

------------------------------------------------------
      HYSA-2006-003 h4cky0u.org Advisory 012
------------------------------------------------------
Date - Thu Feb 24 2006


TITLE:
======

Oi! Email Marketing 3.0 SQL Injection


SEVERITY:
=========

High


SOFTWARE:
=========

Oi! Email Marketing 3.0. Prior versions maybe affected


INFO:
=====

Oi Email Marketing System is a Linux compatible application that can be a
stand-alone product or can be integrated into Mambo 2002 content management
system. It uses a powerful database which resides on your webserver and
allows complete control over all your subscribers, campaigns and emails.

Support Website : www.miro.com.au


DESCRIPTION:
============

Oi Email Marketing System is prone to an SQL injection vulnerability. This
issue is due to a failure in the index.php script of the application to
properly sanitize user-supplied input before using it in SQL queries.

Successful exploitation could result in a compromise of the application,
disclosure or modification of data, or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.


POC:
====

First go to http://www.site.com/oi/index.php

In this login page provide the following inputs:

Username : username' OR '

Password : ' OR '

Note : here username should be a valid user registered on the site
(generally admin)

Also, if a 'superadministrator'login is found and sucessfully exploited the
server's
ftp password can be found by clicking 'Configuration' and viewing the pages
source:

(It's hidden by *)

<TD CLASS="dialogue_heading">Password</TD>
<TD><input type="password" name="ftpPassword" value="password"></TD>


VENDOR STATUS
=============

Vendor was contacted repeatedly but no response received till date.


FIX:
====

No fix available as of date.


CREDITS:
========

- This vulnerability was discovered and researched by -

Illuminatus of h4cky0u Security Forums.

Mail : illuminatus85 at gmail dot com

Web : http://www.h4cky0u.org


- Co Researcher -

h4cky0u of h4cky0u Security Forums.

Mail : h4cky0u at gmail dot com

Web : http://www.h4cky0u.org


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2006-003-oi-email.txt

--
http://www.h4cky0u.org
(In)Security at its best...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060224/9150a563/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ