Security Advisory - Curesec Research Team 1. Introduction Affected phplist 3.2.6 Product: Fixed in: 3.3.1 Fixed Version http://ift.tt/2mzkxuq Link: http://ift.tt/2nuFV9t Vendor Website: http://ift.tt/1Gss40X Vulnerability XSS Type: Remote Yes Exploitable: Reported to 01/10/2017 vendor: Disclosed to 02/20/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) Credits Tim Coen of Curesec GmbH 2. Overview phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to Cross Site Scripting. The application contains one reflected XSS, and multiple persistent XSS vulnerabilities. The persistent XSS vulnerabilities are only exploitable by users with specific privileges. 3. Details Reflected XSS CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N The page parameter is vulnerable to reflected XSS. Proof of Concept: http://localhost/lists/admin/?page=send\'\">&id=187&tk =c Persistent XSS CVSS: Medium 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Various components of the administration interface are vulnerable to persistent XSS. While a user account is required to exploit these issues, they may be used by less privileged users to escalate their privileges. Persistent XSS: List Name The name of a list is echoed in various locations without encoding, leading to persistent XSS. An account with the privilege to create a list is required. Add new List: http://localhost/lists/admin/?page=editlist&tk=c as name use : list'"> To trigger the payload, visit - Add new subscribers to list: http://localhost/lists/admin/?page=importsimple&list=84&tk =c - Overview of all lists: http://localhost/lists/admin/?page=list&tk=c - List members of list: http://localhost/lists/admin/?page=members&id=3&tk=c - View member (loaded as part of the lists tab): http://localhost/lists/admin/?page= user&id=4 - Creating a Campaign (in step 4): http://localhost/lists/admin/?page =send&id=2&tk=c&tab=Lists Persistent XSS: Subscribe Page Various parameters of the subscribe page - such as the title - are vulnerable to persistent XSS. An account with the privilege to edit the subscribe page is required. Add a new subscribe page: http://localhost/lists/admin/?page=spage as title use: subscribe'"> To trigget the payload: - Visit the subscribe page: http://localhost/lists/index.php?p=subscribe&id=1 - Visit the subscribe page overview: http://localhost/lists/admin/?page=spage Persistent XSS: Bounce Rule The expression parameter of bounce rules is vulnerable to persistent XSS. An account with the privilege to edit bounce rules is required. Add a new bounce rule:http://localhost/lists/admin/?page=bouncerules&type= active as regular expression use: test'"&ht;
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment