CVE-2023-27576 / Hacking Phplist: How I Gained Super Admin Access
This vulnerability on version 3.6.12
What is phplist?
Phplist is a robust email marketing and newsletter management tool that allows me to send mass emails to subscribers easily. Using phplist, I can create and manage subscriber lists, send targeted campaigns, track email performance, and automate email sequences. The platform is highly flexible and customizable, supporting multiple languages and integration with other applications. Ultimately, phplist provides a cost-effective and efficient solution for businesses and organizations seeking to streamline their email marketing efforts.
Analyzing the administrative panel and user permissions:
As an administrator with access to phplist, I recently created a new user account named “cupcake” with limited privileges, without super admin privileges. However, when I tried to edit the “admin” user, I noticed that I was unexpectedly redirected to my own “cupcake” user profile. This behavior was unexpected and potentially problematic since it restricted my access to the “admin” user account, which is typically reserved for super admins only.
Without being a super admin, it is not possible to edit or create new users.
As shown in the image below, my phplist user account “cupcake” has been assigned the ID number 2. During my testing, I intercepted a request and attempted to save changes. However, I noticed something intriguing about the request.
Upon examining the intercepted request, I discovered that the request parameters include an “ID” parameter that identifies the user, and a “updatepassword” parameter set to 1. When the “updatepassword” parameter is set to 1, phplist sends an email to the specified user account, prompting them to reset their password. This is a crucial security feature that helps ensure that user accounts remain secure and prevents unauthorized access.
During my testing, I discovered that by manipulating the “ID” parameter in the intercepted request and changing the associated username, I was able to successfully modify the super admin’s user account data. This unexpected behavior poses a significant security risk since it allows non-super admin users to gain access to sensitive user account information and potentially compromise the entire system.
To test the security vulnerability further, I changed the “ID” parameter in the intercepted request from my own user account’s ID (2) to the super admin’s ID number (1). Additionally, I changed the login name to “admin2” for testing purposes.
To my surprise, I was able to successfully modify the super admin’s user account data, including their login name and other sensitive information.
Using the information I gathered, I was able to change the super admin’s login name and email to an email account under my control. Furthermore, I set the “update password” field to 1 to trigger an email to reset the super admin’s password, allowing me to perform an account takeover. This highlights the severity of the security vulnerability and emphasizes the importance of implementing proper access controls and security measures to prevent unauthorized access and protect user data.
Wow, I received the email to reset the super admin’s password. =)
After accessing the link, I was able to change the super admin’s password.
After that, I was able to successfully log in and perform an account takeover of the super admin.
Thank you for reading and see you next time. ( ¬‿¬)