======================================================================== Title: phpList Improper Access Control and Information Leakage vulnerabilities Product: phpList (http://www.phplist.com/) Author: Davide Canali E-mail: davide (at) davidecanali (dot) com Date: 2011-08-10 ======================================================================== 1. BACKGROUND: "phpList is the world's most popular open source email campaign manager. phpList is free to download, install and use, and is easy to integrate with any website. phplist is downloaded more than 10,000 times per month. phplist is sponsored by tincan." (from www.phplist.com) 2. DESCRIPTION: Some Improper Access Control/Information Leakage vulnerabilities exist in phpList, through which any Internet user can gain access to possibly sensitive information. These vulnerabilities: 1) allow anybody who is able to register (or to obtain a "unique user id") to obtain a copy of any email previously sent by the system, regardless of the mailing list to which the message belongs (including hidden or private mailing lists for which normal users can't usually register). 2) allow anybody to read the subject of every email sent by the system. 3. DETAILS The page that is used to forward a mailing list message to another email address lacks of proper identity checks and can leak information to unauthenticated users. 1) Anybody possessing a valid uid can forward any message of the system to an email address of his choice. One possible way of obtaining an uid is to register to a publicly available mailing list. The user's uid appears in every user's registration confirmation email. Just by iterating on mid, a malicious user can see and forward to himself any message that has been previously sent by phpList -- even messages belonging to hidden (private) mailing lists, or to mailing lists to which he's not subscribed. E.g.: http://PATH_TO_PHPLIST/lists/?p=forward&uid=VALID_UID&mid=ID (where VALID_UID is a valid user uid, and ID is the id of the message we want to forward) here, regardless of the mailing list to which the specified uid is registered, a text field is shown, allowing a malicious user to enter an email address for receiving a copy of the message #ID 2) Any unauthenticated user can read the subject of any message sent by the system just by iterating on mid and setting randomly an uid; e.g.: http://PATH_TO_PHPLIST/lists/?p=forward&uid=foo&mid=ID the subject of the message #ID is shown on the response page. 4. AFFECTED VERSIONS Vulnerability 1) phpList versions 2.10.1 -> 2.10.14 Vulnerability 2) all the releases of phpList starting version 2.10.1 5. SOLUTIONS The logic that handles message forward requests has been updated in phpList version 2.10.15, thus fixing the first vulnerability. phpList users should download the latest release of the product at: http://www.phplist.com/download 6. DISCLOSURE TIMELINE 2011-08-06: Vendor notified 2011-08-08: Vendor response 2011-08-09: Vendor released phpList version 2.10.15 (fixing vulnerability n.1) 2011-08-10: New release checked: vulnerability n.2 was not fixed; vendor notified. Vendor promised to fix the issue with the next release of the product, and agreed on publicly disclosing the advisory. Advisory released. ======================================================================== Davide Canali davide (at) davidecanali (dot) com