lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4E49930F.1020905@davidecanali.com>
Date: Mon, 15 Aug 2011 23:43:43 +0200
From: Davide Canali <davide@...idecanali.com>
To: bugtraq@...urityfocus.com
Subject: phpList Improper Access Control and Information Leakage vulnerabilities

========================================================================
Title: phpList Improper Access Control and Information Leakage 
vulnerabilities

Product: phpList (http://www.phplist.com/)

Author: Davide Canali
E-mail: davide (at) davidecanali (dot) com

Date: 2011-08-10
========================================================================

1. BACKGROUND:

"phpList is the world's most popular open source email campaign manager. 
phpList is free to download, install and use, and is easy to integrate 
with any website. phplist is downloaded more than 10,000 times per 
month. phplist is sponsored by tincan." (from www.phplist.com)

2. DESCRIPTION:

Some Improper Access Control/Information Leakage vulnerabilities exist 
in phpList, through which any Internet user can gain access to possibly 
sensitive information. These vulnerabilities:

1) allow anybody who is able to register (or to obtain a "unique user 
id") to obtain a copy of any email previously sent by the system, 
regardless of the mailing list to which the message belongs (including 
hidden or private mailing lists for which normal users can't usually 
register).

2) allow anybody to read the subject of every email sent by the system.

3. DETAILS

The page that is used to forward a mailing list message to another email 
address lacks of proper identity checks and can leak information to 
unauthenticated users.

1) Anybody possessing a valid uid can forward any message of the system 
to an email address of his choice. One possible way of obtaining an uid 
is to register to a publicly available mailing list. The user's uid 
appears in every user's registration confirmation email.
Just by iterating on mid, a malicious user can see and forward to 
himself any message that has been previously sent by phpList -- even 
messages belonging to hidden (private) mailing lists, or to mailing 
lists to which he's not subscribed. E.g.:

http://PATH_TO_PHPLIST/lists/?p=forward&uid=VALID_UID&mid=ID

(where VALID_UID is a valid user uid, and ID is the id of the message we 
want to forward)

here, regardless of the mailing list to which the specified uid is 
registered, a text field is shown, allowing a malicious user to enter an 
email address for receiving a copy of the message #ID

2) Any unauthenticated user can read the subject of any message sent by 
the system just by iterating on mid and setting randomly an uid; e.g.:

http://PATH_TO_PHPLIST/lists/?p=forward&uid=foo&mid=ID

the subject of the message #ID is shown on the response page.

4. AFFECTED VERSIONS

Vulnerability 1) phpList versions 2.10.1 -> 2.10.14
Vulnerability 2) all the releases of phpList starting version 2.10.1

5. SOLUTIONS

The logic that handles message forward requests has been updated in 
phpList version 2.10.15, thus fixing the first vulnerability.
phpList users should download the latest release of the product at:
http://www.phplist.com/download

6. DISCLOSURE TIMELINE

2011-08-06: Vendor notified
2011-08-08: Vendor response
2011-08-09: Vendor released phpList version 2.10.15 (fixing 
vulnerability n.1)
2011-08-10: New release checked: vulnerability n.2 was not fixed; vendor 
notified. Vendor promised to fix the issue with the next release of the 
product, and agreed on publicly disclosing the advisory. Advisory released.

========================================================================
Davide Canali
davide (at) davidecanali (dot) com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ