Some new vulnerabilities in Interspire Email Marketer

1. Arbitrary file upload

Vendor of product: Interspire

Product: Email Marketer

Affected function: Create survey and submit survey

Affected Version: <= 6.1.6 (Maybe the latest version 6.1.8 is also affected)

Authentication: Authentication is required to exploit the vulnerability. Attacker may bypass authentication by using CVE-2017–14322 — Many organizations still use the old version (< 6.1.6)

Description: Attacker can easily upload webshell files to the server via “create survey” function with “allow all file type” option is enabled:

Access and submit survey which was created:

Webshell file will be saved and user can access directly via url: doman/admin/temp/surveys/{formId}/{responseId}/shell.php

2. SQL Injection (4 vulnerabilities)

Vendor of product: Interspire

Product: Email Marketer

Affected function: Dynamiccontenttags.php

Affected Version: <= 6.1.6 (Maybe the latest version 6.1.8 is also affected)

Authentication: Authentication is required to exploit the vulnerability. Attacker may bypass authentication by using CVE-2017–14322 — Many organizations still use the old version (< 6.1.6)

Description: Some SQL Injection bug occur in Dynamiccontenttags’s functions like checkduplicatetags, deleteblock, delete tags, updateblock — There vulnerabilities have not been disclosed yet.

  • SQL Injection at checkduplicatetags method:
  • SQL Injection at deleteblock method:
  • SQL Injection at delete tags method:

The programmer performs string concatenation at three queries so that when testing timebased-Sqli injection (sleep(5)), delay time is over 15 seconds.

  • SQL Injection at updateblock method: