Multiple Vulnerabilities in PHPMailList 1.8.0

Wednesday, July 05, 2006
########################################################
Multiple Vulnerabilities in PHPMailList 1.8.0
Vendor url: http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07/
multiple-vulnerabilities-in.html
VEndor notify:yes Explotation include:yes
osvdb id:27016,27017,27018
Securitytracker:1016439
BID:18840
FrSIRT: FrSIRT/ADV-2006-2690
########################################################

################
Description
################

PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.

PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.

##############
versions
##############

PHPMaiLlist 1.8.0 and prior versions


#####################
Cross site scripting
#####################

PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


######################
Information disclosure
######################

direct request to file 'list.dat' reveal all email address of all suscribers.

Direct request to file 'ml_config.dat' reveal all configuration information.

#####################################
Plain text administrator disclosure:
#####################################

Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text

######################
Timeline
######################

Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006

######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...