-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:            Multiple vulnerabilities in PHPlist           
Name:                TKADV2005-11-001
Revision:            1.0              
Release Date:        2005/11/07 
Last Modified:       2005/11/07 
Author:              Tobias Klein (tk at trapkit.de)
Affected Software:   PHPlist (all versions <= 2.10.1) 
Risk:                Critical ( ) High (x) Medium (x) Low (x) 
Vendor URL:          http://www.phplist.com/ 
Vendor Status:       Vendor has released an updated version         

                    
========= 
Overview:
========= 

  PHPlist is a double opt-in newsletter manager. It is written in 
  PHP and uses a SQL database for storing the information.

  Version 2.10.1 and prior contain multiple Cross Site Scripting 
  and SQL Injection vulnerabilities. Furthermore it is possible to
  access and read arbitrary system files through a vulnerability in
  PHPlist.


======================
Vulnerability details: 
======================

All vulnerabilites are only exploitable by a legitimate user who is 
logged in to PHPlist. So the probability of occurrence of most
threats is rated as medium. The probability of occurrence of the 
non-persistent Cross Site Scripting vulnerabilities is even rated 
as low. 

For a description of the calculation of the resulting threat of a 
vulnerability see reference [3]. 

All vulnerabilities are exploitable, no matter if magic_quotes_gpc
is turned on or off.


[1] SQL Injection

Possible damage:           Critical
Probability of occurrence: Medium
Resulting threat:          High

HTTP method: GET

Vulnerability description:

  PHPlist is prone to a SQL injection vulnerability. This issue is 
  due to a lack of proper sanitization of user-supplied input before 
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.

Vulnerable URL:

  [path_to_phplist]/lists/admin/?page=admin&id=

Proof of Concept: 

  [path_to_phplist]/lists/admin/?page=admin&id=1'


[2] SQL Injection

Possible damage:           Critical
Probability of occurrence: Medium
Resulting threat:          High

HTTP method: GET

Vulnerability description:

  PHPlist is prone to a SQL injection vulnerability. This issue is 
  due to a lack of proper sanitization of user-supplied input before 
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.

Vulnerable URL:

  [path_to_phplist]/lists/admin/?page=editattributes&id=
  
Proof of Concept:

  [path_to_phplist]/lists/admin/?page=editattributes&id=1'
  
  
[3] SQL Injection

Possible damage:           Critical
Probability of occurrence: Medium
Resulting threat:          High
  
HTTP method: POST

Vulnerability description:

  PHPlist is prone to a SQL injection vulnerability. This issue is 
  due to a lack of proper sanitization of user-supplied input before 
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
Vulnerable URL:

  [path_to_phplist]/lists/admin/?page=admin&id=1
  
Vulnerable POST parameter: id=
  
Proof of Concept (POST request):

  POST [path_to_phplist]/lists/admin/?page=admin&id=1 HTTP/1.1

  [...]

  id=1'&loginname=admin&email=&password=phplist&superuser=1&
  disabled=0&change=Save+Changes  
  
  
[4] Read arbitrary system files

Possible damage:           Critical
Probability of occurrence: Medium
Resulting threat:          High

HTTP method: POST

Vulnerability description:

  PHPlist is prone to a vulnerability that permits read access to 
  arbitrary files.

  Successful exploitation of this vulnerability will grant the 
  attacker read access to arbitrary files on the system in the 
  security context of the webserver process.

Details:

  (a) Configure attributes

    Go to the following URL:

    [path_to_phplist]/lists/admin/?page=attributes

    Now load data from predefined defaults (see following URL).

    [path_to_phplist]/lists/admin/?page=defaults

  (b) Add predefined value

    For example: "Provinces in Canada"

  (c) Manipulate POST request

    Vulnerable POST parameter: selected%5B%5D=
    Original value           : selected%5B%5D=can-provinces.txt 
    
    Manipulated value: 
    
      selected%5B%5D=/../../../../../../../etc/passwd

    POST request:

      POST [path_to_phplist]/lists/admin/?page=defaults HTTP/1.1

      [...]

      selected%5B%5D=/../../../../../../../etc/passwd  

  (d) Check

    Go to the user management:

    [path_to_phplist]/lists/admin/?page=usermgt

    Choose the "Control values for" link:

    [path_to_phplist]/lists/admin/?page=editattributes&id=1

    You should see the contents of the local password file.
   
    
[5] Cross Site Scripting

Possible damage:           High
Probability of occurrence: Medium
Resulting threat:          Medium

HTTP method: POST

Vulnerability description:
  
  The "listname" parameter is prone to cross-site scripting attacks. 
  This could permit an attacker to embed a malicious link into the 
  context of the web application that includes hostile client-side 
  script code or HTML. If the appropriate site within the application
  is visited, the attacker-supplied code is rendered in the browser 
  of the user who visits the site. No further user interaction is 
  needed.
  
URL with vulnerable POST request:

  [path_to_phplist]/lists/admin/?page=editlist
  
Details:

  (a) Manipulate POST request

    Vulnerable POST parameter: listname=
    Original value           : listname= 
    
    Manipulated value: 
    
      listname="><script>alert(document.cookie)</script>

    POST request:

      POST [path_to_phplist]/lists/admin/?page=editlist HTTP/1.1

      [...]

      id=0&listname="><script>alert(document.cookie)</script>
      &listorder=&owner=1&description=&save=Save

  (b) Check

    The malicious code gets executed when a user visits the following
    URL:

    [path_to_phplist]/lists/admin/?page=list


[6] Cross Site Scripting

Possible damage:           High
Probability of occurrence: Medium
Resulting threat:          Medium

HTTP method: POST

Vulnerability description:
  
  The "title" parameter is prone to cross-site scripting attacks. 
  This could permit an attacker to embed a malicious link into the 
  context of the web application that includes hostile client-side 
  script code or HTML. If the appropriate site within the application
  is visited, the attacker-supplied code is rendered in the browser 
  of the user who visits the site. No further user interaction is 
  needed.
  
URL with vulnerable POST Request:

  [path_to_phplist]/lists/admin/?page=spageedit

Details:

  (a) Manipulate POST request

    Vulnerable POST parameter: title=
    Original value           : title= 
    
    Manipulated value: 
    
      title=><script>alert(document.cookie)</script>

    POST request:

      POST [path_to_phplist]/lists/admin/?page=spageedit HTTP/1.1

      [...]

      id=3&title="><script>alert(document.cookie)</script>&[...]
      
  (b) Check

    The malicious code gets executed when a user visits the following
    URL:

    [path_to_phplist]/lists/admin/?page=spage


[7] Cross Site Scripting

Possible damage:           High
Probability of occurrence: Medium
Resulting threat:          Medium

HTTP method: POST

Vulnerability description:
  
  The "title" form-data is prone to cross-site scripting attacks. 
  This could permit an attacker to embed a malicious link into the 
  context of the web application that includes hostile client-side 
  script code or HTML. If the appropriate site within the application
  is visited, the attacker-supplied code is rendered in the browser 
  of the user who visits the site. No further user interaction is 
  needed.
  
URL with vulnerable POST Request:

  [path_to_phplist]/lists/admin/?page=template

Details:

  (a) Manipulate POST request

    Vulnerable POST parameter: form-data; name="title"
    
    Manipulated value: 
    
      form-data; name="title" 

      "><script>alert(document.cookie)</script>

    POST request:

      POST [path_to_phplist]/lists/admin/?page=template HTTP/1.1

      [...]

      -----------------------------1474118359509
      Content-Disposition: form-data; name="id"

      0
      -----------------------------1474118359509
      Content-Disposition: form-data; name="title"

      "><script>alert(document.cookie)</script>
      -----------------------------1474118359509
      Content-Disposition: form-data; name="file_template"; 
      filename=""
      Content-Type: application/octet-stream


      -----------------------------1474118359509
      Content-Disposition: form-data; name="content"

      [CONTENT]
      -----------------------------1474118359509
      Content-Disposition: form-data; name="save"

      Save Changes
      -----------------------------1474118359509--

  (b) Check

    The malicious code gets executed when a user visits the following
    URL:

    [path_to_phplist]/lists/admin/?page=templates


[8] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=eventlog&s=0&filter=" parameter is prone to cross-site 
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=eventlog&s=0&filter="><script>
  alert(document.cookie)</script>


[9] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=eventlog&start=&delete=" parameter is prone to cross-site
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=eventlog&start=&delete=">
  <script>alert(document.cookie)</script>


[10] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=eventlog&start=" parameter is prone to cross-site 
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=eventlog&start="><script>alert
  (document.cookie)</script>


[11] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=configure&id=" parameter is prone to cross-site 
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=configure&id="><script>alert
  (document.cookie)</script>


[12] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=users&find=" parameter is prone to cross-site 
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=users&find="><script>alert
  (document.cookie)</script>


[13] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=admin&start=" parameter is prone to cross-site 
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=admin&start="><script>alert
  (document.cookie)</script>


[14] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:
  
  The "?page=fckphplist&action=" parameter is prone to cross-site 
  scripting attacks. This could permit remote attackers to create a 
  malicious link to a vulnerable PHP script that includes hostile 
  client-side script code or HTML. If this link is visited, the 
  attacker-supplied code may be rendered in the browser of the user 
  who visit the malicious link.

Proof of Concept:

  [path_to_phplist]/lists/admin/?page=fckphplist&action="><script>
  alert(document.cookie)</script>


========= 
Solution: 
=========

  Upgrade to PHPlist 2.10.2 or newer.
  
  http://www.phplist.com/files/


======== 
History: 
========

  2005/11/02 - Vendor notified
  2005/11/02 - Vendor response
  2005/11/07 - Release of new PHPlist version 
  2005/11/07 - Public release


======== 
Credits: 
========

  Vulnerabilities found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [1] http://tincan.co.uk/?lid=1632
  [2] http://www.trapkit.de/advisories/TKADV2005-11-001.txt
  [3] http://www.trapkit.de/advisories/TKADVcortav.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed 
publications is not permitted without the author's agreement.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2005 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ2+pdpF8YHACG4RBEQLtgwCgr/c/Vf73SpIWq+yeChp9r15oHi0AnRJS
OYPcgyVchLXfFZE912nenHcE
=MG/M
-----END PGP SIGNATURE-----