PHPlist multiple .php scripts path disclosure

phplist-multiple-scripts-path-disclosure (21579) The risk level is classified as LowLow Risk

Description:

PHPlist could disclose the installation path. A remote attacker could send a specially-crafted URL request to the about.php, connect.php, domainstats.php, usercheck.php, attributes.php, dbcheck.php, importcsv.php, user.php, usermgt.php, users.php, helloworld.php, sidebar.php, or main.php scripts to obtain the full installation path.


Consequences:

Obtain Information

Remedy:

No remedy available as of July 9, 2011.

References:

  • BugTraq Mailing List, Wed Jul 27 2005 - 19:01:05 CDT : PhpList Sql Injection and Path Disclosure.
  • PHPlist Web page: tincan ltd : phplist : What is PHPlist.
  • BID-14403: PHPList Admin Page SQL Injection Vulnerability
  • CVE-2005-2433: PhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domainstats.php or (4) usercheck.php in public_html/lists/admin directory, (5) attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9) usermgt.php, or (10) users.php in admin/commonlib/pages directory, (11) helloworld.php, or (12) sidebar.php in public_html/lists/admin/plugins directory, or (13) main.php in public_html/lists/admin/plugsins/defaultplugin directory, which reveal the path in an error message.
  • OSVDB ID: 18317: PHPlist attributes.php Direct Request Path Disclosure
  • OSVDB ID: 18318: PHPlist helloworld.php Direct Request Path Disclosure
  • OSVDB ID: 18319: PHPlist main.php Direct Request Path Disclosure
  • OSVDB ID: 18320: PHPlist admin/about.php Direct Request Path Disclosure
  • OSVDB ID: 18321: PHPlist admin/connect.php Direct Request Path Disclosure
  • OSVDB ID: 18322: PHPlist admin/domainstats.php Direct Request Path Disclosure
  • OSVDB ID: 18323: PHPlist admin/usercheck.php Direct Request Path Disclosure
  • OSVDB ID: 18324: PHPlist plugins/sidebar.php Direct Request Path Disclosure
  • OSVDB ID: 18325: PHPlist pages/dbcheck.php Direct Request Path Disclosure
  • OSVDB ID: 18326: PHPlist pages/importcsv.php Direct Request Path Disclosure
  • OSVDB ID: 18327: PHPlist pages/user.php Direct Request Path Disclosure
  • OSVDB ID: 18328: PHPlist pages/usermgt.php Direct Request Path Disclosure
  • OSVDB ID: 18329: PHPlist pages/users.php Direct Request Path Disclosure

Platforms Affected:

  • phpList phpList

Reported:

Jul 27, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page