Tuesday, April 22, 2014

phpList CSRF on subscription page

For those who don't know phpList...
... is an open source software for managing mailing lists. It is designed for the dissemination of information, such as newsletters, news, advertising to list of subscribers. It is written in PHP and uses a MySQL database to store the information. The software is distributed free under GPL license. (in Wikipedia)
I discover a CSRF vulnerability on phpList 3.0.5 (and maybe prior versions) - CVE-2014-2916 -  that allowed a malicious user to perform a variety of attacks (deface, malware spreading, phishing, etc.).
If a specially crafted page is visited by any authenticated administrator it's possible to launch a CSRF that will be automatically executed without the admin knowing it about.

The problem is that the subscription page editor - /phplist/admin/?page=spageedit - doesn't have protection against this type of vulnerability.
So, if a authenticated administrator visits a specific page that sends a form automatically it will store the malicious code on the subscription page.

Fix it ASAP!
phpList team have already patched this issue on phpList 3.0.6, so I recommend the download as soon as possible.

I would like to thank Michiel Dethmers from phpList for getting me updated on the fixing status and showing that phpList team really care about security.

02 Apr 2014: Reported this advisory to phpList
03 Apr 2014: phpList replied that they redirected the lead developer
04 Apr 2014: Lead developer replied that they are working on fixing it
15 Apr 2014: phpList 3.0.6 is released
21 Apr 2014: Credit for this vulnerability was published on phpList news section
22 Apr 2014: Full disclosure

Thursday, March 27, 2014

How to lose $2100 on bounties

Quite simple. Be late :-)
I discovered five security vulnerabilities that were already found from other users and were waiting fixing.

- Two vulnerabilities on Giftcards
- Two vulnerabilities on Magento (eBay)
- One vulnerability on Google

The estimated value of all these vulnerabilities were about $2100.
Note to myself: Better luck next time!

Friday, January 3, 2014

My ad on your OLX favourites - CSRF style

First of all - Happy New Year to all my readers.

OLX is an internet company based in New York City and Buenos Aires, Argentina. The OLX website hosts free user-generated classified advertisements for urban communities around the world and provides discussion forums sorted by various topics. They're are present on more 90 countries.

Portuguese OLX domain - olx.pt, one of the most popular websites in the country, was vulnerable to a CSRF that allowed any user to add a ad on a visitor favourite section just by visiting a specially crafted webpage.
This attack could be used to gain more visibility on a special ad or even to spread scams, like...

When a visitor opened a page with this code:
<iframe src="http://figueiradafoz.olx.pt/favoritos/?op=park&id=441731811&in=1" height="0" width="0"></iframe>
It would add that ad to the favourites section of the user. Even if they aren't authenticated.

This issue was fixed by the local company responsible for OLX in Portugal in few days.
I didn't test similar issues on other OLX sites but I hope my alert helped them to spread the word around about CSRF.

08 Nov 2013: Sent security advisory to OLX
08 Nov 2013: OLX replied that they are looking into it
15 Nov 2013: OLX reported that the problem has been fixed
03 Jan 2014: Full disclosure