Document Title: =============== OmniSecure v7.x DLX - Multiple SQL Injection Vulnerabilities Release Date: ============= 2011-07-15 Vulnerability Laboratory ID (VL-ID): ==================================== 101 Product & Service Introduction: =============================== One Click Folder Protection Whether you are protecting tens of files or thousands of files, it only takes a few simple steps to protect all your folders instantly with Omni Secure folder protection. File type does not matter. These include anyting from.php, to .doc, to .xls, to pdf, to .zip, streaming videos etc. Multi-Directional Login Forms Easily create customized, multi-directional login forms. Manage your users from a single login form that not only determines what group each user is assigned to, but which has the power to automatically redirects each individual user to appropriate folders and pages. Manages Unlimited Groups Totally simple! Members belong to Groups and Groups belong to Protected Folders. You determine which Protected Folder(s) each Group may access. Manages Unlimited Users Large databases of users are only as valuable as the system that manages them. With OSS you manage a virtually unlimited number of users that allows you to view, edit, lock, delete or modify in dozens of way, all accounts. And you may do this individually or by group. ... ... (Copy of theVendor Homepage: Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered multiple SQL Injection Vulnerabilities on OmniSecure v6.1.1 Deluxe. Vulnerability Disclosure Timeline: ================================== 2011-00-00: Vendor Notification 2011-00-00: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2011-00-00: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ Multiple SQL Injection Vulnerabilities are detected on OmniSecure. Attackers can compromise the application dbms & the application content via sql injection. The bug allows an remote attacker to inject own sql statements over the vulnerable web application. Vulnerable Modules: [+] Login Edit [+] Add User [+] Add Banners [+] SignupCode [+] AddUrlShield Pictures: ../sql1.png ../sql2.png ../sql3.png Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by local restricted user accounts & remote attackers. For demonstration or reproduce ... File: index.php Para: ?module=CodeGen&action=CustomLoginEdit&id= File: index.php Para: ?module=Members&action=AddUser&id= File: index.php Para: ?module=System&action=AffAddBanner&id= File: index.php Para: ?module=Members&action=AddGroup&id= File: index.php Para: ?module=CodeGen&action=SignupCode&FormID= File: index.php Para: ?module=UrlProtect&action=AddUrlShield&id= omnisecure v6.1.1 Deluxe - SQL Injection "PoC"