--This is a forwarded message
From: Secunia Security Advisories <sec-adv@xxxxxxxxxxx>
To: 3APA3A@xxxxxxxxxxxxxxxx <3APA3A@xxxxxxxxxxxxxxxx>
Date: Friday, December 9, 2005, 7:02:50 PM
Subject: [SA17943] Lyris ListManager Multiple Vulnerabilities
===8<==============Original message text===============
TITLE:
Lyris ListManager Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA17943
VERIFY ADVISORY:
CRITICAL:
Less critical
IMPACT:
Manipulation of data, Exposure of system information, Privilege
escalation
WHERE:
>From remote
SOFTWARE:
Lyris ListManager 7.x
Lyris ListManager 6.x
Lyris ListManager 5.x
Lyris ListManager 8.x
DESCRIPTION:
H D Moore has reported some vulnerabilities in Lyris ListManager,
which be exploited by malicious users to perform certain actions with
escalated privileges or to conduct SQL injection attacks, and by
malicious people to disclose certain system information.
1) Input passed to the "pw" parameter in the web interface for
subscribing a new user to the mailing list isn't properly sanitised
before being inserted into the processing queue as a command message.
This can be exploited to execute arbitrary list administration
commands via specially crafted input containing %0A%0D sequences.
2) Input passed to "/read/attachment" isn't properly sanitised before
being used in a SQL query. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.
3) Input passed to certain parameters isn't properly sanitised before
being used as column name to the ORDER BY command in a SQL query. This
can be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
4) The MSDE version of ListManager uses a weak default password for
the database after installation. The password is reportedly set to
"lyris" followed by a 1 to 5 digit number. This password can
potentially be derived by a brute-force attack.
5) Certain versions of ListManager allows access to the "status"
module of the TCLHTTPd service. This can be exploited to reveal
detailed information about the server configuration.
6) An error in the TCLHTTPd service can be exploited to view the
source of arbitrary TML scripts on the server by appending a URL
encoded NULL byte to the request (e.g. /read/.tml%00).
7) The entire CGI environment is included into a HTML hidden variable
of the error page when a non-existent page is requested. This
potentially reveals information of the software version and the
installation path.
The vulnerabilities have been reported in versions 5.0 through 8.8a.
Note: It has also been reported that the error message that is
generated when an error occurs in a TML script reveals certain
information such as the installation path, software version, SQL
queries and certain code blocks.
SOLUTION:
Vulnerabilities #2, #3, #5, #6, and #7 has reportedly been fixed in
version 8.9b.
PROVIDED AND/OR DISCOVERED BY:
H D Moore
ORIGINAL ADVISORY:
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
Definitions: (Criticality, Where etc.)
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
===8<===========End of original message text===========
--
~/ZARAZA
ëÏÇÄÁ ÐÔÉÞËÁ ÐÏÇÉÂÁÅÔ ÏÔ ÏÂÖÏÒÓÔ×Á, ÅÅ ÎÁÎÉÚÙ×ÁÀÔ ÎÁ ×ÅÒÔÅÌ. (ìÅÍ)
