-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Multiple vulnerabilities in PHPlist Name: TKADV2005-11-001 Revision: 1.0 Release Date: 2005/11/07 Last Modified: 2005/11/07 Author: Tobias Klein (tk at trapkit.de) Affected Software: PHPlist (all versions <= 2.10.1) Risk: Critical ( ) High (x) Medium (x) Low (x) Vendor URL: http://www.phplist.com/ Vendor Status: Vendor has released an updated version ========= Overview: ========= PHPlist is a double opt-in newsletter manager. It is written in PHP and uses a SQL database for storing the information. Version 2.10.1 and prior contain multiple Cross Site Scripting and SQL Injection vulnerabilities. Furthermore it is possible to access and read arbitrary system files through a vulnerability in PHPlist. ====================== Vulnerability details: ====================== All vulnerabilites are only exploitable by a legitimate user who is logged in to PHPlist. So the probability of occurrence of most threats is rated as medium. The probability of occurrence of the non-persistent Cross Site Scripting vulnerabilities is even rated as low. For a description of the calculation of the resulting threat of a vulnerability see reference [3]. All vulnerabilities are exploitable, no matter if magic_quotes_gpc is turned on or off. [1] SQL Injection Possible damage: Critical Probability of occurrence: Medium Resulting threat: High HTTP method: GET Vulnerability description: PHPlist is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. Vulnerable URL: [path_to_phplist]/lists/admin/?page=admin&id= Proof of Concept: [path_to_phplist]/lists/admin/?page=admin&id=1' [2] SQL Injection Possible damage: Critical Probability of occurrence: Medium Resulting threat: High HTTP method: GET Vulnerability description: PHPlist is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. Vulnerable URL: [path_to_phplist]/lists/admin/?page=editattributes&id= Proof of Concept: [path_to_phplist]/lists/admin/?page=editattributes&id=1' [3] SQL Injection Possible damage: Critical Probability of occurrence: Medium Resulting threat: High HTTP method: POST Vulnerability description: PHPlist is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. Vulnerable URL: [path_to_phplist]/lists/admin/?page=admin&id=1 Vulnerable POST parameter: id= Proof of Concept (POST request): POST [path_to_phplist]/lists/admin/?page=admin&id=1 HTTP/1.1 [...] id=1'&loginname=admin&email=&password=phplist&superuser=1& disabled=0&change=Save+Changes [4] Read arbitrary system files Possible damage: Critical Probability of occurrence: Medium Resulting threat: High HTTP method: POST Vulnerability description: PHPlist is prone to a vulnerability that permits read access to arbitrary files. Successful exploitation of this vulnerability will grant the attacker read access to arbitrary files on the system in the security context of the webserver process. Details: (a) Configure attributes Go to the following URL: [path_to_phplist]/lists/admin/?page=attributes Now load data from predefined defaults (see following URL). [path_to_phplist]/lists/admin/?page=defaults (b) Add predefined value For example: "Provinces in Canada" (c) Manipulate POST request Vulnerable POST parameter: selected%5B%5D= Original value : selected%5B%5D=can-provinces.txt Manipulated value: selected%5B%5D=/../../../../../../../etc/passwd POST request: POST [path_to_phplist]/lists/admin/?page=defaults HTTP/1.1 [...] selected%5B%5D=/../../../../../../../etc/passwd (d) Check Go to the user management: [path_to_phplist]/lists/admin/?page=usermgt Choose the "Control values for" link: [path_to_phplist]/lists/admin/?page=editattributes&id=1 You should see the contents of the local password file. [5] Cross Site Scripting Possible damage: High Probability of occurrence: Medium Resulting threat: Medium HTTP method: POST Vulnerability description: The "listname" parameter is prone to cross-site scripting attacks. This could permit an attacker to embed a malicious link into the context of the web application that includes hostile client-side script code or HTML. If the appropriate site within the application is visited, the attacker-supplied code is rendered in the browser of the user who visits the site. No further user interaction is needed. URL with vulnerable POST request: [path_to_phplist]/lists/admin/?page=editlist Details: (a) Manipulate POST request Vulnerable POST parameter: listname= Original value : listname= Manipulated value: listname="> POST request: POST [path_to_phplist]/lists/admin/?page=editlist HTTP/1.1 [...] id=0&listname="> &listorder=&owner=1&description=&save=Save (b) Check The malicious code gets executed when a user visits the following URL: [path_to_phplist]/lists/admin/?page=list [6] Cross Site Scripting Possible damage: High Probability of occurrence: Medium Resulting threat: Medium HTTP method: POST Vulnerability description: The "title" parameter is prone to cross-site scripting attacks. This could permit an attacker to embed a malicious link into the context of the web application that includes hostile client-side script code or HTML. If the appropriate site within the application is visited, the attacker-supplied code is rendered in the browser of the user who visits the site. No further user interaction is needed. URL with vulnerable POST Request: [path_to_phplist]/lists/admin/?page=spageedit Details: (a) Manipulate POST request Vulnerable POST parameter: title= Original value : title= Manipulated value: title=> POST request: POST [path_to_phplist]/lists/admin/?page=spageedit HTTP/1.1 [...] id=3&title=">&[...] (b) Check The malicious code gets executed when a user visits the following URL: [path_to_phplist]/lists/admin/?page=spage [7] Cross Site Scripting Possible damage: High Probability of occurrence: Medium Resulting threat: Medium HTTP method: POST Vulnerability description: The "title" form-data is prone to cross-site scripting attacks. This could permit an attacker to embed a malicious link into the context of the web application that includes hostile client-side script code or HTML. If the appropriate site within the application is visited, the attacker-supplied code is rendered in the browser of the user who visits the site. No further user interaction is needed. URL with vulnerable POST Request: [path_to_phplist]/lists/admin/?page=template Details: (a) Manipulate POST request Vulnerable POST parameter: form-data; name="title" Manipulated value: form-data; name="title" "> POST request: POST [path_to_phplist]/lists/admin/?page=template HTTP/1.1 [...] -----------------------------1474118359509 Content-Disposition: form-data; name="id" 0 -----------------------------1474118359509 Content-Disposition: form-data; name="title" "> -----------------------------1474118359509 Content-Disposition: form-data; name="file_template"; filename="" Content-Type: application/octet-stream -----------------------------1474118359509 Content-Disposition: form-data; name="content" [CONTENT] -----------------------------1474118359509 Content-Disposition: form-data; name="save" Save Changes -----------------------------1474118359509-- (b) Check The malicious code gets executed when a user visits the following URL: [path_to_phplist]/lists/admin/?page=templates [8] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=eventlog&s=0&filter=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=eventlog&s=0&filter="> [9] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=eventlog&start=&delete=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=eventlog&start=&delete="> [10] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=eventlog&start=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=eventlog&start="> [11] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=configure&id=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=configure&id="> [12] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=users&find=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=users&find="> [13] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=admin&start=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=admin&start="> [14] Cross Site Scripting Possible damage: Medium Probability of occurrence: Low Resulting threat: Low HTTP method: GET Vulnerability description: The "?page=fckphplist&action=" parameter is prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. Proof of Concept: [path_to_phplist]/lists/admin/?page=fckphplist&action="> ========= Solution: ========= Upgrade to PHPlist 2.10.2 or newer. http://www.phplist.com/files/ ======== History: ======== 2005/11/02 - Vendor notified 2005/11/02 - Vendor response 2005/11/07 - Release of new PHPlist version 2005/11/07 - Public release ======== Credits: ======== Vulnerabilities found and advisory written by Tobias Klein. =========== References: =========== [1] http://tincan.co.uk/?lid=1632 [2] http://www.trapkit.de/advisories/TKADV2005-11-001.txt [3] http://www.trapkit.de/advisories/TKADVcortav.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2005 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ2+pdpF8YHACG4RBEQLtgwCgr/c/Vf73SpIWq+yeChp9r15oHi0AnRJS OYPcgyVchLXfFZE912nenHcE =MG/M -----END PGP SIGNATURE-----