source: https://www.securityfocus.com/bid/53693/info PHPList is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. PHPList 2.10.9 is vulnerable; other versions may also be affected. # --------------------------------------- # # This PoC was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # --------------------------------------- # # 1) Bug # 2) PoC # --------------------------------------- # # 2) Bug : # An attacker might execute arbitrary PHP code with this vulnerability. # User tainted data is embedded into a function that compiles # PHP code on the run and #executes it thus allowing an attacker to inject own PHP code that will be # executed. This vulnerability can lead to full server compromise. # Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line (63) # 63. $func_name = $_POST["rs"]; # if (! empty($_POST["rsargs"])) # $args = $_POST["rsargs"]; # else # $args = array(); # } # # if (! in_array($func_name, $sajax_export_list)) # echo "-:$func_name not callable"; # else { # echo "+:"; # 74. $result = call_user_func_array($func_name, $args); # echo $result; # } # exit; # } # So We Have Variable Func Name With Post rs :) # In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It. # Look To Line (74). # Call_User_Func_Array($func_name, $args); # Attacker Can Inject In Get Paramater Or POST PHP Code. # --------------------------------------- # # 3) PoC : #