SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (E-mail Server)  >   ListManager Vendors:   Lyris Technologies
Lyris ListManager Lets Remote Authenticated Administrators Add Users to Arbitrary Lists
SecurityTracker Alert ID:  1016771
SecurityTracker URL:  http://securitytracker.com/id/1016771
CVE Reference:   CVE-2006-4546, CVE-2006-4547   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 31 2006
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 8.95
Description:   A vulnerability was reported in Lyris ListManager. A remote authenticated list administrator can add administrative users to arbitrary lists on the target system.

A remote authenticated list administrator can submit the form to add an administrative user with the hidden HTML 'MEMBERS_.List_' value set to the name of the target list. The new administrative user account will be added on the target list, even if the list administrator is not an authorized administrator for the target list.

It may also be possible to submit a specially crafted user name value to execute SQL commands on the underlying database [however, the report did not confirm SQL injection.]

'Design Properly' reported this vulnerability.

Impact:   A remote authenticated list administrator for at least one list on the system can add administrative users to other, arbitrary lists on the same system.

A remote authenticated list administrator may be able to execute SQL commands on the underlying database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.lyris.com/products/listmanager/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Red Hat Enterprise), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Wed, 30 Aug 2006 21:14:27 -0700 (PDT)
Subject:  [Full-disclosure] Lyris ListManager 8.95: Add arbitrary

--===============0449721920==
Content-Type: multipart/alternative; boundary="0-1833635505-1156997667=:7095"
Content-Transfer-Encoding: 8bit

--0-1833635505-1156997667=:7095
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
    "Lyris ListManager is the world's most popular software for creating, sending, and tracking highly effective email campaigns,
 newsletters, and discussion groups." http://www.lyris.com/products/index.html

Details of this Vulnerability:
    A design flaw in ListManager's web-based administrative interface allows anyone who is an administrator of a list on the server
 to add an arbitrary user as an administrator to any other list hosted on the same server.  Specifically, the form one fills out to
 add an administrator contains a hidden form field with the name of the list to which the administrator will be added.  By changing
 this value and submitting the form (using tools like TamperData for FireFox), you can add an arbitrary user as an administrator for
 an arbitrary list.

    Here is a sample of these hidden form fields:

    <!-- START OF - save cgi variables in hidden fields -->
    <input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
    <input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
    <input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 20:20:32">
    <input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
    <input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
    <input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]">
    <input type="hidden" name="MEMBERS_.MailFormat_" value="M">
    <input type="hidden" name="MEMBERS_.MemberType_" value="normal">
    <input type="hidden" name="MEMBERS_.NoRepro_" value="F">
    <input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
    <input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
    <input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
    <input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
    <input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
    <input type="hidden" name="MEMBERS_.SubType_" value="mail">
    <input type="hidden" name="current_tab" value="Basics">
    <input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ MemberType_ SubType_ Password_ ExpireDate_
 SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ Additional_ ReceiveAck_ NumAppNeed_ List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_
 DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_ NotifySubm_">
    <input type="hidden" name="table_in_memory" value="MEMBERS_">

Further Work:
    Yesterday I was trying to add a user whose name contained a single-quote, e.g. "O'Conner."  Frequently, as I navigated the web
 interface, I received SQL errors that printed a large portion of the SQL query along with details about what failed.  I'm sure there's
 SQL injection possibilities here as well, I just don't have time to explore.  And where there are SQL injection opportunities, there's
 often opportunities for JavaScript injection.

Recommendations to those using ListManager:
    The risk of this issue to your organization is directly tied to how many administrators you have on your mailing list server,
 how much you can really trust them, and the value of your mailing lists.  That is, a company that has five administrators for a public
 list shouldn't care.  However, if you've got a lot of administrators and a few lists whose discussions would be worth intercepting
 or disrupting, you're at high-risk for abuse as a result of this vulnerability.  Until the vendor solves this and other issues, you're
 going to have to have a high level of trust in the people administering your lists, or use a different mailing list server.  
    
Best of luck.

 				
---------------------------------
Want to be your own boss? Learn how on  Yahoo! Small Business. 
--0-1833635505-1156997667=:7095
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list<br>Release Date: 2006-08-30<br>Application: Lyris
 ListManager 8.95<br>Risk: Depends upon your use and business context<br>Vendor site: http://www.lyris.com/<br><br>Overview of Product:<br>&nbsp;&nbsp;&nbsp;
 "Lyris ListManager is the world's most popular software for creating, sending, and tracking highly effective email campaigns, newsletters,
 and discussion groups." http://www.lyris.com/products/index.html<br><br>Details of this Vulnerability:<br>&nbsp;&nbsp;&nbsp; A design
 flaw in ListManager's web-based administrative interface allows anyone who is an administrator of a list on the server to add an
 arbitrary user as an administrator to any other list hosted on the same server.&nbsp; Specifically, the form one fills out to add
 an administrator contains a hidden form field with the name of the list to which the administrator will be added.&nbsp; By changing
 this value and submitting the form
 (using tools like TamperData for FireFox), you can add an arbitrary user as an administrator for an arbitrary list.<br><br>&nbsp;&nbsp;&nbsp;
 Here is a sample of these hidden form fields:<br><br>&nbsp;&nbsp;&nbsp; &lt;!-- START OF - save cgi variables in hidden fields --&gt;<br>&nbsp;&nbsp;&nbsp;
 &lt;input type="hidden" name="MEMBERS_.AppNeeded_" value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.CleanAuto_"
 value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 20:20:32"&gt;<br>&nbsp;&nbsp;&nbsp;
 &lt;input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.IsListAdm_"
 value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]"&gt;<br>&nbsp;&nbsp;&nbsp;
 &lt;input type="hidden" name="MEMBERS_.MailFormat_" value="M"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden"
 name="MEMBERS_.MemberType_" value="normal"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.NoRepro_" value="F"&gt;<br>&nbsp;&nbsp;&nbsp;
 &lt;input type="hidden" name="MEMBERS_.NotifySubm_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.NumAppNeed_"
 value="0"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input
 type="hidden" name="MEMBERS_.ReadsHtml_" value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.ReceiveAck_"
 value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.SubType_" value="mail"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input
 type="hidden" name="current_tab" value="Basics"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="fields_in_memory" value="FullName_
 AppNeeded_ PermissionGroupID_ MemberType_ SubType_ Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ Additional_
 ReceiveAck_ NumAppNeed_
 List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_
 IsListAdm_ RcvAdmMail_ NotifySubm_"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="table_in_memory" value="MEMBERS_"&gt;<br><br>Further
 Work:<br>&nbsp;&nbsp;&nbsp; Yesterday I was trying to add a user whose name contained a single-quote, e.g. "O'Conner."&nbsp; Frequently,
 as I navigated the web interface, I received SQL errors that printed a large portion of the SQL query along with details about what
 failed.&nbsp; I'm sure there's SQL injection possibilities here as well, I just don't have time to explore.&nbsp; And where there
 are SQL injection opportunities, there's often opportunities for JavaScript injection.<br><br>Recommendations to those using ListManager:<br>&nbsp;&nbsp;&nbsp;
 The risk of this issue to your organization is directly tied to how many administrators you have on your mailing list server, how
 much you can really
 trust them, and the value of your mailing lists.&nbsp; That is, a company that has five administrators for a public list shouldn't
 care.&nbsp; However, if you've got a lot of administrators and a few lists whose discussions would be worth intercepting or disrupting,
 you're at high-risk for abuse as a result of this vulnerability.&nbsp; Until the vendor solves this and other issues, you're going
 to have to have a high level of trust in the people administering your lists, or use a different mailing list server. &nbsp;<br>&nbsp;&nbsp;
 &nbsp;<br>Best of luck.<br><p>&#32;
	
	
		<hr size=1>Want to be your own boss? Learn how on <a href="http://us.rd.yahoo.com/evt=41244/*http://smallbusiness.yahoo.com/r-index">
 Yahoo! Small Business.</a> 

--0-1833635505-1156997667=:7095--


--===============0449721920==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0449721920==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC