TitanHQ SpamTitan Email Security Gateway Unauthenticated User Creation Vulnerability

A vulnerability exists in TitanHQ SpamTitan Email Security Gateway versions 8.00.x prior to 8.00.101 and 8.01.x prior to 8.01.14. The issue arises in the file quarantine.php, where unauthenticated users can initiate account-level actions by sending a crafted GET request. Specifically, if a non-existent email address is included in the email parameter, SpamTitan will automatically create a user record and link quarantine settings to it, all without requiring authentication. This vulnerability could be exploited to manipulate internal application behavior or inject data into the user base, potentially leading to privilege escalation or information leaks in misconfigured environments.

Impact

Exploitation of this vulnerability allows for the unauthenticated creation of internal user records, manipulation of quarantine report settings for arbitrary emails, and potential denial-of-service or persistence via spam report hijacking, expanding the application attack surface for further exploitation.

Reproduction

To reproduce this vulnerability, send a GET request to quarantine.php without authentication. Include a non-existent email address in the email parameter, along with other required parameters such as role_type, action, period, and secret_id. The request will trigger the creation of a new user account associated with the provided email address, without any authentication or validation of the role type.

Remediation

Users can update to SpamTitan Gateway version 8.00.101 or 8.01.14 to address this vulnerability. For instructions on updating SpamTitan, refer to the SpamTitan Gateway Admin Guide.