phpList Improper Access Control and Information Leakage vulnerabilities

From: Davide Canali <davide@davidecanali.com>
To: bugtraq@securityfocus.com
Cc:
Subject: phpList Improper Access Control and Information Leakage vulnerabilities
Date:


========================================================================
Title: phpList Improper Access Control and Information Leakage 
vulnerabilities

Product: phpList (http://www.phplist.com/)

Author: Davide Canali
E-mail: davide (at) davidecanali (dot) com

Date: 2011-08-10
========================================================================

1. BACKGROUND:

"phpList is the world's most popular open source email campaign manager. 
phpList is free to download, install and use, and is easy to integrate 
with any website. phplist is downloaded more than 10,000 times per 
month. phplist is sponsored by tincan." (from www.phplist.com)

2. DESCRIPTION:

Some Improper Access Control/Information Leakage vulnerabilities exist 
in phpList, through which any Internet user can gain access to possibly 
sensitive information. These vulnerabilities:

1) allow anybody who is able to register (or to obtain a "unique user 
id") to obtain a copy of any email previously sent by the system, 
regardless of the mailing list to which the message belongs (including 
hidden or private mailing lists for which normal users can't usually 
register).

2) allow anybody to read the subject of every email sent by the system.

3. DETAILS

The page that is used to forward a mailing list message to another email 
address lacks of proper identity checks and can leak information to 
unauthenticated users.

1) Anybody possessing a valid uid can forward any message of the system 
to an email address of his choice. One possible way of obtaining an uid 
is to register to a publicly available mailing list. The user's uid 
appears in every user's registration confirmation email.
Just by iterating on mid, a malicious user can see and forward to 
himself any message that has been previously sent by phpList -- even 
messages belonging to hidden (private) mailing lists, or to mailing 
lists to which he's not subscribed. E.g.:

http://PATH_TO_PHPLIST/lists/?p=forward&uid=VALID_UID&mid=ID

(where VALID_UID is a valid user uid, and ID is the id of the message we 
want to forward)

here, regardless of the mailing list to which the specified uid is 
registered, a text field is shown, allowing a malicious user to enter an 
email address for receiving a copy of the message #ID

2) Any unauthenticated user can read the subject of any message sent by 
the system just by iterating on mid and setting randomly an uid; e.g.:

http://PATH_TO_PHPLIST/lists/?p=forward&uid=foo&mid=ID

the subject of the message #ID is shown on the response page.

4. AFFECTED VERSIONS

Vulnerability 1) phpList versions 2.10.1 -> 2.10.14
Vulnerability 2) all the releases of phpList starting version 2.10.1

5. SOLUTIONS

The logic that handles message forward requests has been updated in 
phpList version 2.10.15, thus fixing the first vulnerability.
phpList users should download the latest release of the product at:
http://www.phplist.com/download

6. DISCLOSURE TIMELINE

2011-08-06: Vendor notified
2011-08-08: Vendor response
2011-08-09: Vendor released phpList version 2.10.15 (fixing 
vulnerability n.1)
2011-08-10: New release checked: vulnerability n.2 was not fixed; vendor 
notified. Vendor promised to fix the issue with the next release of the 
product, and agreed on publicly disclosing the advisory. Advisory released.

========================================================================
Davide Canali
davide (at) davidecanali (dot) com





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.