SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   PHPMailList Vendors:   PHP.WarpedWeb.Net
PHPMailList Discloses Information and Passwords to Remote Users and Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1016439
SecurityTracker URL:  http://securitytracker.com/id/1016439
CVE Reference:   CVE-2006-3482, CVE-2006-3483   (Links to External Site)
Updated:  Aug 12 2008
Original Entry Date:  Jul 5 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.8.0 and prior versions
Description:   Lostmon reported a vulnerability in PHPMailList. A remote user can view the administrator's password. A remote user can view user e-mail addresses. A remote user can conduct cross-site scripting attacks.

A remote user can request the 'ml_config.dat' file to obtain the administrator's username and password and to obtain configuration information.

A remote user can request the 'list.dat' file to obtain subscriber e-mail addresses.

The 'maillist.php' script does not properly filter HTML code from user-supplied input in the email field before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHPMailList software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:   A remote user can obtain the administrator's password.

A remote user can view e-mail addresses for all subscribers on the system.

A remote user can view application configuration information.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPMailList software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  php.warpedweb.net/maillist (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in PHPMailList 1.8.0

########################################################
Multiple Vulnerabilities in PHPMailList   1.8.0
Vendor url:  http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07
/multiple-vulnerabilities-in.html
VEndor notify:no Explotation  include:yes

########################################################

################
Description
################

PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.

PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.

##############
versions
##############

PHPMaiLlist 1.8.0 and prior versions


#####################
Cross site scripting
#####################

PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


######################
Information disclosure
######################

direct request to file 'list.dat' reveal all email address of all suscribers.

Direct request to file 'ml_config.dat' reveal all configuration information.

#####################################
Plain text administrator disclosure:
#####################################

Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text

######################
Timeline
######################

Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006


Thnx to Estrella to be my ligth.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
-- 
La curiosidad es lo que hace mover la mente....
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC