BugTraq
phpList Improper Access Control and Information Leakage vulnerabilities Aug 15 2011 09:43PM
Davide Canali (davide davidecanali com)
========================================================================

Title: phpList Improper Access Control and Information Leakage
vulnerabilities

Product: phpList (http://www.phplist.com/)

Author: Davide Canali
E-mail: davide (at) davidecanali (dot) com

Date: 2011-08-10
========================================================================

1. BACKGROUND:

"phpList is the world's most popular open source email campaign manager.
phpList is free to download, install and use, and is easy to integrate
with any website. phplist is downloaded more than 10,000 times per
month. phplist is sponsored by tincan." (from www.phplist.com)

2. DESCRIPTION:

Some Improper Access Control/Information Leakage vulnerabilities exist
in phpList, through which any Internet user can gain access to possibly
sensitive information. These vulnerabilities:

1) allow anybody who is able to register (or to obtain a "unique user
id") to obtain a copy of any email previously sent by the system,
regardless of the mailing list to which the message belongs (including
hidden or private mailing lists for which normal users can't usually
register).

2) allow anybody to read the subject of every email sent by the system.

3. DETAILS

The page that is used to forward a mailing list message to another email
address lacks of proper identity checks and can leak information to
unauthenticated users.

1) Anybody possessing a valid uid can forward any message of the system
to an email address of his choice. One possible way of obtaining an uid
is to register to a publicly available mailing list. The user's uid
appears in every user's registration confirmation email.
Just by iterating on mid, a malicious user can see and forward to
himself any message that has been previously sent by phpList -- even
messages belonging to hidden (private) mailing lists, or to mailing
lists to which he's not subscribed. E.g.:

http://PATH_TO_PHPLIST/lists/?p=forward&uid=VALID_UID&mid=ID

(where VALID_UID is a valid user uid, and ID is the id of the message we
want to forward)

here, regardless of the mailing list to which the specified uid is
registered, a text field is shown, allowing a malicious user to enter an
email address for receiving a copy of the message #ID

2) Any unauthenticated user can read the subject of any message sent by
the system just by iterating on mid and setting randomly an uid; e.g.:

http://PATH_TO_PHPLIST/lists/?p=forward&uid=foo&mid=ID

the subject of the message #ID is shown on the response page.

4. AFFECTED VERSIONS

Vulnerability 1) phpList versions 2.10.1 -> 2.10.14
Vulnerability 2) all the releases of phpList starting version 2.10.1

5. SOLUTIONS

The logic that handles message forward requests has been updated in
phpList version 2.10.15, thus fixing the first vulnerability.
phpList users should download the latest release of the product at:
http://www.phplist.com/download

6. DISCLOSURE TIMELINE

2011-08-06: Vendor notified
2011-08-08: Vendor response
2011-08-09: Vendor released phpList version 2.10.15 (fixing
vulnerability n.1)
2011-08-10: New release checked: vulnerability n.2 was not fixed; vendor
notified. Vendor promised to fix the issue with the next release of the
product, and agreed on publicly disclosing the advisory. Advisory released.

========================================================================

Davide Canali
davide (at) davidecanali (dot) com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus