1. Arbitrary file upload
Vendor of product: Interspire
Product: Email Marketer
Affected function: Create survey and submit survey
Affected Version: <= 6.1.6 (Maybe the latest version 6.1.8 is also affected)
Authentication: Authentication is required to exploit the vulnerability. Attacker may bypass authentication by using CVE-2017–14322 — Many organizations still use the old version (< 6.1.6)
Description: Attacker can easily upload webshell files to the server via “create survey” function with “allow all file type” option is enabled:
Access and submit survey which was created:
Webshell file will be saved and user can access directly via url: doman/admin/temp/surveys/{formId}/{responseId}/shell.php
2. SQL Injection (4 vulnerabilities)
Vendor of product: Interspire
Product: Email Marketer
Affected function: Dynamiccontenttags.php
Affected Version: <= 6.1.6 (Maybe the latest version 6.1.8 is also affected)
Authentication: Authentication is required to exploit the vulnerability. Attacker may bypass authentication by using CVE-2017–14322 — Many organizations still use the old version (< 6.1.6)
Description: Some SQL Injection bug occur in Dynamiccontenttags’s functions like checkduplicatetags, deleteblock, delete tags, updateblock — There vulnerabilities have not been disclosed yet.
- SQL Injection at checkduplicatetags method:
- SQL Injection at deleteblock method:
- SQL Injection at delete tags method:
The programmer performs string concatenation at three queries so that when testing timebased-Sqli injection (sleep(5)), delay time is over 15 seconds.
- SQL Injection at updateblock method:
.