what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting
Posted Jun 1, 2016
Authored by Mickael Dorigny

PHPList version 3.2.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | f0da55dd29ff527bd052188fb9c5477c678b51589e98191eacd2521bb2069799

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: PHPList v3.2.4 CSRF/XSS
# Date: 01/06/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.phplist.com/
# Version: 3.2.4
# Category: CSRF/XSS
######################################################################

PHPList description :
======================================================================
phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the Affero General Public License (AGPL).

Vulnerabilities description :
======================================================================
phpList version 3.2.4 is vulnerable to multiple vulnerabilities like :
- CSRF
- Stored XSS

Poc n°1 : CSRF on Campaign Draft modification
============================================
The draft modification process is vulnerable to CSRF attack. When using the form, we can see that a form anti-CSRF token is used but it can be removed from the request wihtout causing error. The only prerequisite to exploit this CSRF is to target an existing Draft ID. This can be done with a simple code tricks wich send multiple modification requests while incremeting the Draft ID for example. To modify the Draft 5, use the following parameters :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=MODIFIED_SUBJECT&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

This vulnerability can make an authenticated user change campaign content an alter user experience.

PoC n°2 : Stored XSS on Campaign Draft Name
============================================
The campaign draft name, displayed when listing all campaign draft, is vulnerable to Stored XSS attack. This mean that the vulnerable code is saved in the database and displayed each time a admin/user go on the campaign draft list :
http://server/admin/?page=messages&tab=draft

The following request exploit this vulnerability :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=DATA"><script>alert("XSS_again")</script>&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

Note that once this request is submitted, the user is not directly on the page that display the XSS. He have to go on this page : http://server/admin/?page=messages&tab=draft

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones.

Using two simple HTML page with auto JavaScript redirection, an attacker can exploit these two vulnerabilities to change the campaign draft content to make it display a Javascescript instruction and then use this Javascript execution to steal session cookie or bypass all other anti-CSRF protection of the PHPlist installation. The scenario exploiting this two vulnerabilities is presented in the video in "Addtional resources" section.

Solution:
======================================================================
- Update your PHPList installation to superior version (3.2.5 - https://www.phplist.org/newslist/phplist-3-2-5-whats-new/)

Additional resources :
======================================================================
- https://youtu.be/cU6ob4sCKgs
- https://www.phplist.org/newslist/phplist-3-2-5-whats-new/

Report timeline :
======================================================================
2016-05-11 : Advisory submitted to editor
2016-05-26 : Version 3.2.5 released with fixes
2016-06-01 : Public Advisory release

Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close