Title:  Oempro Multiple Vulnerabilities
Release Date:  2008-12-01
 Application:  Octeth Technologies, Oempro 3.5.5.1
   Cross Ref:  CVE-2008-3057, CVE-2008-3058, CVE-2008-3059
               OSVDB 50321 .. 50324
   Reference:  http://osvdb.org/ref/50/oempro.txt

Description:
------------

"What is Oempro? Newsletters, product release announcement emails, e-cards, happy birthday 
emails, email reminders, auto responders, simply all kind of emails can easily be generated 
and sent by Oempro with powerful and detailed reporting features."

Oempro contains a wide variety of vulnerabilities and configuration weaknesses that may allow
an attacker to gain full access to the product, manipulate user accounts and more. The
version tested was discovered on a vulnerability assessment and is relatively outdated.
Subsequent versions were not available for testing.

#1 - Cookies not marked Secure / HttpOnly

The Oempro application uses a PHPSESSID cookie to maintain authentication between the 
client and server. The cookie is set without the 'secure' (RFC 2109) or 'httponly' flag.
These flags help to ensure cookie information is sent over secure channels and the data
is only used for authentication and help protect it from disclosure via cross-site
scripting attacks.

  HTTP/1.1 200 OK
  Date: Tue, 01 Jul 2008 06:57:13 GMT
  Server: Apache/2.0.59
  Keep-Alive: timeout=604800, max=100
  Connection: keep-alive, close
  Set-Cookie: PHPSESSID=e3a335d15ac0be7f204d8e09ce83b5da; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Content-Length: 6665
  Content-Type: text/html; charset=UTF-8

-and-

  HTTP/1.1 302 Found
  Date: Wed, 02 Jul 2008 04:34:42 GMT
  Server: Apache/2.0.59
  Keep-Alive: timeout=604800, max=100
  Connection: keep-alive, close
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Set-Cookie: oempcliremme[0]=
  Set-Cookie: oempcliremme[1]=
  Set-Cookie: oempcliremme[2]=
  Set-Cookie: oempcliremme[3]=
  Set-Cookie: oempcli=e3a335d15ac0be7f204d8e09ce83b5da
  Location: ./bridge.php?GoToURL=
  Content-Length: 0
  Content-Type: text/html; charset=UTF-8

#2 - index.php SQL Injection Authentication Bypass

The authentication mechanism suffers from a SQL injection vulnerability that allows
an attacker to bypass authentication. The 'FormValue_Email' variable ("Email" field)
does not properly sanitize user input. By supplying SQL syntax such as "' or 0=0 #",
an attacker will be logged in as an authenticated user. The structure of Oempro has
several URLs that control the privilege of the account. Using this trick on /member/, 
/client/ and /admin/ will allow the attacker to authenticate as multiple accounts, 
including an administrator.

	Email:  	' or 0=0 #
	Password:   	password

#3 - /member/settings_account.php Cleartext Password Disclosure

Once authenticated, legitimately or via SQL injection as listed above, the application
sends the user's password in cleartext on the 'Settings - Account Information' tab 
(/member/settings_account.php). The password is stored in a hidden field 
(FormValue_Password) and obscured visibly with asterisks to the end user. 


[..]
        <td class="FieldLabelColumn">Email</td>
        <td class="FieldValueColumn">
                <input name="FormValue_Email" type="text" id="FormValue_Email" value="waffle@vulnerable.dom" size="30" class="_errorclassEmail_">
        </td>
</tr>

<tr>
        <td class="FieldLabelColumn">Password</td>
        <td class="FieldValueColumn">
	        <input name="FormValue_Password" type="password" id="FormValue_Password" value="figlet" size="15" class="_errorclassPassword_">
	</td>
</tr>
[..]

#4 - /client/campaign_track.php FormValue_SearchKeywords Variable SQL Injection

The campaign tracking page (/client/campaign_track.php) does not properly filter 
user-supplied input, allowing for arbitrary SQL syntax to be passed to the 
database.

#5 - Cross-frame Scripting

As described in CVE-2004-2383, the Oempro application does not implement code to prevent
Cross-frame scripting attacks. This can be used to construct phishing attacks to more
convincingly steal user credentials. While this is a browser based vulnerability, 
applications can add a small amount of script code to ensure the window is not loaded
via a frame.


Product Details:
----------------
     
 Vendor:  Octeth Technologies
Product:  Oempro
Version:  3.5.5.1

Solution:
---------

Upgrade to version 4.

Disclosure Timeline:
--------------------

2008-07-02: Vulnerability Discovered
2008-07-05: Disclosed to Vendor via [sales|press|security]@octeth.com
2008-07-05: security@ invalid. Sales #HZS-628697 opened automatically.
2008-07-07: CVE numbers assigned
2008-07-14: Vendor Acknowledgement from C.H.
2008-09-16: v4, said to fix issues, still not released
2008-10-05: Mail sent to C.H. asking for V4 release ETA
2008-11-22: v4 released, reportedly addresses issues
2008-12-01: Public Disclosure

CVE:
----

This issue is a candidate for inclusion in the Common Vulnerabilities and 
Exposures (CVE) list (http://cve.mitre.org), which standardizes names for 
security problems. The CVE initiative has assigned CVE Candidate 
CVE-2008-3057 (cookie handling), CVE-2008-3058 (sql injection) and
CVE-2008-3059 (password disclosure) to this issue.

References:
-----------

OSVDB: http://osvdb.org/50321 .. 50324
Vendor: http://octeth.com/products/oempro/
XSS Information: http://en.wikipedia.org/wiki/Cross_site_scripting
HttpOnly Cookie XSS Mitigation: http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx

Creditee:
---------

Security Curmudgeon
Attrition.org / OSVDB.org