Disclosure: Oempro Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB IDs 50321, 50322, 50323, 50324]

   Title:  Oempro Multiple Vulnerabilities

Release Date: 2008-12-01
Application: Octeth Technologies, Oempro 3.5.5.1
Cross Ref: CVE-2008-3057, CVE-2008-3058, CVE-2008-3059
OSVDB: 50321 .. 50324
Reference: http://osvdb.org/ref/50/oempro.txt

Description:

“What is Oempro? Newsletters, product release announcement emails, e-cards, happy birthday emails, email reminders, auto responders, simply all kind of emails can easily be generated and sent by Oempro with powerful and detailed reporting features.”

Oempro contains a wide variety of vulnerabilities and configuration weaknesses that may allow an attacker to gain full access to the product, manipulate user accounts and more. The version tested was discovered on a vulnerability assessment and is relatively outdated. Subsequent versions were not available for testing.

1 – Cookies not marked Secure / HttpOnly

The Oempro application uses a PHPSESSID cookie to maintain authentication between the client and server. The cookie is set without the ‘secure’ (RFC 2109) or ‘httponly’ flag. These flags help to ensure cookie information is sent over secure channels and the data is only used for authentication and help protect it from disclosure via cross-site scripting attacks.

HTTP/1.1 200 OK
Date: Tue, 01 Jul 2008 06:57:13 GMT
Server: Apache/2.0.59
Keep-Alive: timeout=604800, max=100
Connection: keep-alive, close
Set-Cookie: PHPSESSID=e3a335d15ac0be7f204d8e09ce83b5da; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6665
Content-Type: text/html; charset=UTF-8

-and-

HTTP/1.1 302 Found
Date: Wed, 02 Jul 2008 04:34:42 GMT
Server: Apache/2.0.59
Keep-Alive: timeout=604800, max=100
Connection: keep-alive, close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: oempcliremme[0]=
Set-Cookie: oempcliremme[1]=
Set-Cookie: oempcliremme[2]=
Set-Cookie: oempcliremme[3]=
Set-Cookie: oempcli=e3a335d15ac0be7f204d8e09ce83b5da
Location: ./bridge.php?GoToURL=
Content-Length: 0
Content-Type: text/html; charset=UTF-8

2 – index.php SQL Injection Authentication Bypass

The authentication mechanism suffers from a SQL injection vulnerability that allows an attacker to bypass authentication. The ‘FormValue_Email’ variable (“Email” field) does not properly sanitize user input. By supplying SQL syntax such as “‘ or 0=0 #”, an attacker will be logged in as an authenticated user. The structure of Oempro has several URLs that control the privilege of the account. Using this trick on /member/, /client/ and /admin/ will allow the attacker to authenticate as multiple accounts, including an administrator.

    Email:          ' or 0=0 #
    Password:       password

3 – /member/settings_account.php Cleartext Password Disclosure

Once authenticated, legitimately or via SQL injection as listed above, the application sends the user’s password in cleartext on the ‘Settings – Account Information’ tab (/member/settings_account.php). The password is stored in a hidden field (FormValue_Password) and obscured visibly with asterisks to the end user.

[Original PoC removed]

4 – /client/campaign_track.php FormValue_SearchKeywords Variable SQL Injection

The campaign tracking page (/client/campaign_track.php) does not properly filter user-supplied input, allowing for arbitrary SQL syntax to be passed to the database.

5 – Cross-frame Scripting

As described in CVE-2004-2383, the Oempro application does not implement code to prevent Cross-frame scripting attacks. This can be used to construct phishing attacks to more convincingly steal user credentials. While this is a browser based vulnerability, applications can add a small amount of script code to ensure the window is not loaded via a frame.

Product Details:

Vendor: Octeth Technologies
Product: Oempro
Version: 3.5.5.1

Solution:

Upgrade to version 4.

Disclosure Timeline:

2008-07-02: Vulnerability Discovered
2008-07-05: Disclosed to Vendor via [sales|press|security]@octeth.com
2008-07-05: security@ invalid. Sales #HZS-628697 opened automatically.
2008-07-07: CVE numbers assigned
2008-07-14: Vendor Acknowledgement from C.H.
2008-09-16: v4, said to fix issues, still not released
2008-10-05: Mail sent to C.H. asking for V4 release ETA
2008-11-22: v4 released, reportedly addresses issues
2008-12-01: Public Disclosure

CVE:

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2008-3057 (cookie handling), CVE-2008-3058 (sql injection) and CVE-2008-3059 (password disclosure) to this issue.

References:

OSVDB: http://osvdb.org/50321 .. 50324
Vendor: http://octeth.com/products/oempro/
XSS Information: http://en.wikipedia.org/wiki/Cross_site_scripting
HttpOnly Cookie XSS Mitigation: http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx