PHPList Include File Vulnerability

Per http://isc.sans.org/diary.html?storyid=5794:

PHPList is an open-source newsletter manager. It is written in php. On January 29th 2009 they posted a software update. “[The update] fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access“.

They also included a one-line workaround if you could not patch fast enough.

UPDATE: An exploit against this vulnerability was published and used in the wild on Jan 14th 2009, 2 weeks before the patch was issued.

On PHPList.com, the following was listed:

We’ve released version 2.10.9 that fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access.

Everyone using any version up to this one is advised to upgrade as soon as possible.

This is quite a serious exploit as it allows an attacker unauthorized access to your files and their contents. Some files may include sensitive database login information providing the hacker with customer/visitor data.

If you’ve installed PHPList manually, we strongly encourage you to update your installation using the new packages available on PHPList’s Download Page.

If you’ve installed PHPList through Fantastico, we unfortunately don’t have an upgrade as of yet since Fantastico is maintained by a third party provider. We’ve notified the third party provider and will update this post as soon as an update is available. For the time being, we strongly encourage you to follow PHPList’s direction to secure your installation from this attack –

If you don’t want to upgrade now, you can fix the vulnerability quickly by adding the following line to the top of the index file in the admin directory:

———-

if (isset($_REQUEST[‘_SERVER’])) { exit; }

———-

This will at least stop your installation from being vulnerable to this attack.

You can insert this to the top of your index.php inside the admin directory through our file manager’s text editor. If you are not sure how to do this, please contact Arvixe support and we will be more than happy to assist you.

Tags: , , , , | Posted under cPanel/Linux Hosting, PHPList, Security/Vulnerability | RSS 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *


3 − 2 =

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>