[原文]PHPMailList 1.8.0 stores sensitive information under the web document root iwth insufficient access control, which allows remote attackers to obtain email addresses of subscribers, configuration information, and the admin username and password via direct requests to (1) list.dat or (2) ml_config.dat.
PHPMailList list.dat Subscriber E-mail List Disclosure
Remote / Network Access
Loss of Confidentiality
PHP.WarpedWeb.Net PHPMailList contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote user requests the 'list.dat' file directly via the URI, which will disclose the subscriber e-mail list resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.