PHPList SQL Injection and Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit the SQL-injection issue. The attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issue.

The following example URIs are available:

http://www.example.com/public_html/lists/admin/?blacklisted=1&change=Vai&find=&findby=email&id=0&page=users&sortorder=desc&start=0&unconfirmed=1&sortby=1[SQL]

http://www.example.com/public_html/lists/admin/?num=[XSS]&option=bounces&page=reconcileusers


 

Privacy Statement
Copyright 2010, SecurityFocus