SEC Consult SA-20131015-0 :: Multiple vulnerabilities in SpamTitan

From: SEC Consult Vulnerability Lab <>
To:,bugtraq <>
Subject: SEC Consult SA-20131015-0 :: Multiple vulnerabilities in SpamTitan

SEC Consult Vulnerability Lab Security Advisory < 20131015-0 >
              title: Multiple vulnerabilities in SpamTitan 
            product: SpamTitan 
 vulnerable version: <=5.12, 5.13 is likely to be affected too
      fixed version: 6.00
             impact: Critical
              found: 2013-05-08
                 by: V. Paulikas 
                     SEC Consult Vulnerability Lab 

Vendor description:
"SpamTitan Technologies is a global provider of sophisticated enterprise-level 
email security solutions, offering small and medium sized businesses the most 
comprehensive protection from email threats, including spam, viruses, Trojans, 
phishing, malware and other unwanted content. Our anti spam product was 
launched in 2006. Today, we offer different deployment options of SpamTitan: 
ISO, VMware and on Demand (cloud based appliance)."

Business recommendation:
All discovered vulnerabilities can be exploited _without_ authentication and
therefore pose a highly critical security risk as the remote command execution
vulnerability can be used for compromising the server. Moreover, SQL injection
allows accessing the database records, such as usernames and hashed passwords
of the management interface.

The scope of the test, where the vulnerabilities have been identified, was a
very short evaluation crash-test which the software utterly failed. It is
assumed that further critical vulnerabilities exist within this product!

The recommendation of SEC Consult is to immediately switch off
existing SpamTitan systems until further security measures (vendor patch) and
thorough follow-up security tests have been implemented and performed.

Vulnerability overview/description:
1) Cross-Site Scripting

The web GUI is prone to the reflected Cross-Site Scripting attacks. The 
vulnerability can be used to include HTML or JavaScript code to the affected 
web page. The code is executed in the browser of users if they visit the 
manipulated site. 
2) SQL Injection

The web GUI is prone to unauthenticated SQL injection. The vulnerability can
be used to access data, such as usernames and MD5 hashed passwords of the web
application users, stored in the database of SpamTitan.

3) Remote command execution

Due to insufficient input validation, the web GUI fails to properly filter
malicious user input passed from the user side. This leads to unauthenticated
OS command injection with the privileges of the web server. By exploiting this
vulnerability, an attacker can read/write files, open connections, etc. posing
a critical security risk.

Proof of concept:

1) The login form of the web GUI is vulnerable to reflected Cross-Site Scripting. 
The supplied email address value is reflected without proper validation and 
executed in the context of the web browser. 

[The PoC URL has been removed from this advisory]

2) The parameter sortkey of the setup-relay-x.php script is vulnerable to a SQL 
Injection vulnerability:

[The PoC URL has been removed from this advisory]

3) Due to improper user input validation it is possible to inject arbitrary 
operating system commands enclosed in backticks (`). The parameter ldapserver 
of the aliases-x.php script is affected by this vulnerability.

[The PoC URL has been removed from this advisory]

Vulnerable / tested versions:
The vulnerabilities have been verified to exist in the SpamTitan's VMWare 
Appliance version 5.12, which was the most recent version at the time of 
SEC Consult did not test the interim release 5.13, it is assumed that it is
vulnerable too.

Vendor contact timeline:
2013-06-07: Contacted vendor through, no response
2013-06-26: Contacted vendor again through, no response
2013-07-17: Sending deadline for advisory release to vendor via
2013-07-17: Initial vendor response
2013-07-17: Forwarding security advisory to vendor
2013-07-17: Vendor acknowledges that the advisory was received
2013-07-17: Requesting the date of the patch
2013-07-17: Vendor responds with the end of September as patch release date
2013-09-09: Requesting patch status update
2013-09-11: Vendor reacknowledges end of September as patch release date
2013-09-30: Requesting patch status update
2013-09-30: Vendor responds with a delayed patch release date
2013-10-14: Requesting patch status update
2013-10-14: Vendor acknowledges that security patches and new version of the
            product (v6) are available
2013-10-15: SEC Consult releases security advisory

According to the vendor, the new version 6.0 fixes the identified problems. The
new version can be downloaded from their website.


Advisory URL:

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com

EOF V. Paulikas / @2013

Copyright © 1995-2019 All rights reserved.