[VIM] Vendor ACK for PHPList issues

Steven M. Christey coley at mitre.org
Fri Aug 5 01:58:08 EDT 2005


The PhpList vendor appears to have posted an advisory on some recently
reported issues (CAN-2005-2432, CAN-2005-2433)

http://tincan.co.uk/?lid=851

I can't find a date on it, but it looks pretty close.  I have an
e-mail into the vendor just to be sure.

- Steve



======================================================
Candidate: CAN-2005-2432
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2432
Reference: BUGTRAQ:20050728 PhpList Sql Injection and Path Disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112258115325054&w=2
Reference: BUGTRAQ:20050731 PHPList Vunerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112291396731712&w=2
Reference: CONFIRM:http://tincan.co.uk/?lid=851
Reference: OSVDB:18316
Reference: URL:http://www.osvdb.org/18316
Reference: SECUNIA:16274
Reference: URL:http://secunia.com/advisories/16274

SQL injection vulnerability in PhpList allows remote attackers to
modify SQL statements via the id argument to admin pages such as (1)
members or (2) admin.


======================================================
Candidate: CAN-2005-2433
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2433
Reference: BUGTRAQ:20050728 PhpList Sql Injection and Path Disclosure
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112258115325054&w=2
Reference: CONFIRM:http://tincan.co.uk/?lid=851

PhpList allows remote attackers to obtain sensitive information via a
direct request to (1) about.php, (2) connect.php, (3) domainstats.php
or (4) usercheck.php in public_html/lists/admin directory, (5)
attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9)
usermgt.php, or (10) users.php in admin/commonlib/pages directory,
(11) helloworld.php, or (12) sidebar.php in
public_html/lists/admin/plugins directory, or (13) main.php in
public_html/lists/admin/plugsins/defaultplugin directory, which reveal
the path in an error message.




More information about the VIM mailing list