phpList 2.10.17 Remote SQL Injection and XSS Vulnerability

2012-03-21T00:00:00
ID ZSL-2012-5081
Type zeroscience
Reporter Gjoko Krstic
Modified 2012-03-21T00:00:00

Description

Title: phpList 2.10.17 Remote SQL Injection and XSS Vulnerability
Advisory ID: ZSL-2012-5081
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 21.03.2012

Summary

phplist is the world's most popular open source email campaign manager. phplist is free to download, install and use, and is easy to integrate with any website. phplist is downloaded more than 10,000 times per month.

Description

Input passed via the parameter 'sortby' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The param 'num' is vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

phpList Ltd - <http://www.phplist.com>

Affected Version

2.10.17

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.9
MySQL 5.5.20

Vendor Status

[05.03.2012] Vulnerabilities discovered.
[19.03.2012] Submited details to the vendor's bug tracking system.
[19.03.2012] Vendor investigates, confirms and fixes the issues.
[19.03.2012] Sent patch release coordination to the vendor.
[21.03.2012] Vendor releases version 2.10.18 to address these issues.
[21.03.2012] Coordinated public security advisory released.

PoC

phplist.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.phplist.com/?lid=567>
[2] <https://mantis.phplist.com/view.php?id=16557>
[3] <http://www.exploit-db.com/exploits/18639/>
[4] <http://www.1337day.com/exploits/17788>
[5] <http://www.securityfocus.com/bid/52657>
[6] <http://secunia.com/advisories/48491/>
[7] <http://cxsecurity.com/issue/WLB-2012030192>
[8] <http://packetstormsecurity.org/files/111080>
[9] <http://xforce.iss.net/xforce/xfdb/74206>
[10] <http://xforce.iss.net/xforce/xfdb/74207>
[11] <http://www.osvdb.org/show/osvdb/80283>
[12] <http://www.osvdb.org/show/osvdb/80284>
[13] <http://securitytracker.com/id/1027181>
[14] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2740>
[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2741>

Changelog

[21.03.2012] - Initial release
[22.03.2012] - Added reference [3], [4], [5], [6] and [7]
[23.03.2012] - Added reference [8], [9], [10], [11] and [12]
[25.06.2012] - Added reference [13], [14] and [15]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;