HYSA-2006-003 Oi! Email Marketing 3.0 SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HYSA-2006-003 Oi! Email Marketing 3.0 SQL Injection
From: h4cky0u.org@xxxxxxxxx
Date: 23 Feb 2006 19:48:08 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

------------------------------------------------------
      HYSA-2006-003 h4cky0u.org Advisory 012
------------------------------------------------------
Date - Thu Feb 24 2006


TITLE:
======

Oi! Email Marketing 3.0 SQL Injection


SEVERITY:
=========

High


SOFTWARE:
=========

Oi! Email Marketing 3.0. Prior versions maybe affected


INFO:
=====

Oi Email Marketing System is a Linux compatible application that can be a 
stand-alone product or can be integrated into Mambo 2002 content management 
system. It uses a powerful database which resides on your webserver and allows 
complete control over all your subscribers, campaigns and emails.

Support Website : www.miro.com.au


DESCRIPTION:
============

Oi Email Marketing System is prone to an SQL injection vulnerability. This 
issue is due to a failure in the index.php script of the application to 
properly sanitize user-supplied input before using it in SQL queries.

Successful exploitation could result in a compromise of the application, 
disclosure or modification of data, or may permit an attacker to exploit 
vulnerabilities in the underlying database implementation.


POC:
====

First go to http://www.site.com/oi/index.php

In this login page provide the following inputs:

Username : username' OR ' 

Password : ' OR '

Note : here username should be a valid user registered on the site (generally 
admin)

Also, if a 'superadministrator'login is found and sucessfully exploited the 
server's 
ftp password can be found by clicking 'Configuration' and viewing the pages 
source: 

(It's hidden by *) 

<TD CLASS="dialogue_heading">Password</TD> 
<TD><input type="password" name="ftpPassword" value="password"></TD>


VENDOR STATUS
=============

Vendor was contacted repeatedly but no response received till date.


FIX:
====

No fix available as of date.


CREDITS:
========

- This vulnerability was discovered and researched by -

Illuminatus of h4cky0u Security Forums.

Mail : illuminatus85 at gmail dot com

Web : http://www.h4cky0u.org


- Co Researcher -

h4cky0u of h4cky0u Security Forums.

Mail : h4cky0u at gmail dot com

Web : http://www.h4cky0u.org


ORIGINAL ADVISORY: 
================== 

http://www.h4cky0u.org/advisories/HYSA-2006-003-oi-email.txt 


-- 
http://www.h4cky0u.org 
(In)Security at its best...

Prev by Date: Event Speaker
Next by Date: NSA Group Security Advisory NSAG-№197-23.02.2006 Vulnerability CubeCart 3.0.0 – 3.0.6
Previous by thread: Event Speaker
Next by thread: NSA Group Security Advisory NSAG-№197-23.02.2006 Vulnerability CubeCart 3.0.0 – 3.0.6
Index(es):
- Date
- Thread