Login Sign Up

CVE-2020-23361

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication in phpList by exploiting PHP's type juggling behavior. When password hashes begin with '0e' followed by only numbers, the '==' comparison operator incorrectly evaluates them as equal to zero, granting unauthorized access. All phpList 3.5.3 installations with default configurations are affected.

💻 Affected Systems

Products:
  • phpList
Versions: 3.5.3 specifically, potentially earlier versions with similar code patterns
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using the vulnerable comparison operator for password verification.

📦 What is this software?

Phplist by Phplist

View all CVEs affecting Phplist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the phpList instance, allowing attackers to access all mailing lists, subscriber data, send unauthorized emails, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized administrative access leading to data theft, email list manipulation, and spam campaigns sent from legitimate infrastructure.

🟢

If Mitigated

Limited impact if strong network segmentation, monitoring, and additional authentication layers are in place.

🌐 Internet-Facing: HIGH - phpList is typically internet-facing for email list management, making it directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal instances could still be compromised via insider threats or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires finding or generating password hashes that begin with '0e' followed by only numeric characters, which can be brute-forced.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4 and later

Vendor Advisory: https://github.com/phpList/phplist3/issues/668

Restart Required: No

Instructions:

1. Backup your phpList installation and database. 2. Download phpList 3.5.4 or later from the official repository. 3. Replace the vulnerable files, particularly those containing password comparison logic. 4. Verify the fix by testing authentication.

🔧 Temporary Workarounds

Manual code patch

linux

Replace '==' with '===' in password comparison functions to enforce strict type checking

sed -i "s/==/===/g" /path/to/phplist/includes/*.php
sed -i "s/==/===/g" /path/to/phplist/admin/*.php

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block authentication bypass attempts
  • Add multi-factor authentication (MFA) to phpList admin interface

🔍 How to Verify

Check if Vulnerable:

Check if your phpList version is 3.5.3 by examining the version.php file or admin interface. Review code for '==' comparisons in authentication functions.

Check Version:

grep -r "\$version" /path/to/phplist/version.php 2>/dev/null || echo "Check admin interface"

Verify Fix Applied:

After patching, attempt to authenticate with a password hash beginning with '0e' followed by numbers. Access should be denied.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful login with unusual user agent
  • Admin login from unexpected IP addresses

Network Indicators:

  • Unusual SMTP traffic patterns from phpList server
  • Authentication requests with specially crafted password hashes

SIEM Query:

source="phpList_logs" (event="login_success" AND user="admin") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-23361
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON