Tuesday, April 22, 2014

phpList CSRF on subscription page

For those who don't know phpList...
... is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. The software is distributed free under GPL license. (in Wikipedia)
I discover a CSRF vulnerability on phpList 3.0.5 (and maybe prior versions) - CVE-2014-2916 -  that allowed a malicious user to perform a variety of attacks (deface, malware spreading, phishing, etc.).
If a specially crafted page is visited by any authenticated administrator it's possible to launch a CSRF that will be automatically executed without the admin knowing it about.

The problem is that the subscription page editor - /phplist/admin/?page=spageedit - doesn't have protection against this type of vulnerability.
So, if a authenticated administrator visits a specific page that sends a form automatically it will store the malicious code on the subscription page.



Fix it ASAP!
phpList team have already patched this issue on phpList 3.0.6, so I recommend the download as soon as possible.

I would like to thank Michiel Dethmers from phpList for getting me updated on the fixing status and showing that phpList team really care about security.

Timeline
02 Apr 2014: Reported this advisory to phpList
03 Apr 2014: phpList replied that they redirected the lead developer
04 Apr 2014: Lead developer replied that they are working on fixing it
15 Apr 2014: phpList 3.0.6 is released
21 Apr 2014: Credit for this vulnerability was published on phpList news section
22 Apr 2014: Full disclosure