============================== Vulnerability ID: HTB22956 Reference: http://www.htbridge.ch/advisory/xss_vulnerabilities_in_phplist.html Product: phpList Vendor: Tincan Ltd ( http://www.phplist.com/ ) Vulnerable Version: 2.10.13 and probably prior versions Vendor Notification: 12 April 2011 Vulnerability Type: XSS Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities exists due to failure in the "admin/commonlib/lib/userlib.php", "admin/template.php", "admin/editlist.php" scripts to properly sanitize user-supplied input in "email" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: 1. 2. 3. ============================== Vulnerability ID: HTB22957 Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_phplist.html Product: phpList Vendor: Tincan Ltd ( http://www.phplist.com/ ) Vulnerable Version: 2.10.13 and probably prior versions Vendor Notification: 12 April 2011 Vulnerability Type: CSRF (Cross-Site Request Forgery) Risk level: Low Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: The vulnerability exists due to failure in the "admin/configure.php" script to properly verify the source of HTTP request. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. Attacker can use browser to exploit this vulnerability. The following PoC is available: