SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   LISTSERV Vendors:   L-Soft
L-Soft LISTSERV Input Validation Flaw in WA.EXE Management Interface May Permit Cross-Site Scripting Attacks Against List Administrators
SecurityTracker Alert ID:  1008551
SecurityTracker URL:  http://securitytracker.com/id/1008551
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 27 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in L-Soft's LISTSERV mailing list software. A remote user can conduct cross-site scripting attacks against administrators.

http-equiv reported that the WA.EXE management interface does not properly filter HTML code from user-supplied input in some of the script parameters before displaying information based on the user-supplied input.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LISTSERV software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/Scripts/wa-demo.exe?A1=ind9807&L=demo%3Cimg%3E

[Editor's note: The demonstration URL worked as of the time of the original posting on a site operated by L-Soft, but appears to have been corrected since then.]

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LISTSERV software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.

[Editor's note: It appears that LISTSERV software that is hosted by L-Soft may have been corrected, but that has not been confirmed yet.]

Vendor URL:  www.lsoft.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), OpenVMS, UNIX (AIX), UNIX (BSD/OS), UNIX (FreeBSD), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 27 2003 (Vendor Issues Fix for Windows Platforms) L-Soft LISTSERV Input Validation Flaw in WA.EXE Management Interface May Permit Cross-Site Scripting Attacks Against List Administrators
The vendor has issued a fix for Windows.



 Source Message Contents

Subject:  [Full-Disclosure] DANGER ZONE: Internet Explorer




Friday, December 26, 2003

Technical 'silent delivery and installation of an executable on a 
target computer. No client input other than viewing and web site'.  
This may be achieved with the Internet Explorer series of so-
called "browsers", all security settings set to HIGH !

[***premium advertising space: your ad here for a nominal monthly 
fee contact sales@malware.com***]

Not so simple:

The current trend is to dismiss, pooh pooh, the never-ending ongoing 
[almost daily] discoveries of vulnerabilities in the Internet 
Explorer series of browsers. So much so there remains in the account 
a balance of several full and complete remote compromises [courtesy 
of:  Liu Die Yu 
http://www.safecenter.net/UMBRELLAWEBV4/DirSvc/security/originality/m
icrosoft_ie/index.html] summarily dismissed as "well the internet is 
a big bad place, don't surf to unknown sites, and sites you do know 
and trust, place in the Trusted Zone. You'll be fine. 'Trust Us !"".

Oh. Okay:

The so-called "Trusted Site" zone setting in the Internet Explorer 
series of browsers, is set to LOW on default [screenshot: 
http://www.malware.com/trustus.png 28KB]. What that means 
is 'minimal safeguards and prompts are provided...most content is 
downloaded and run without prompts'. So who do [can] we trust?

For example, we input into the so-called Trusted Zone, the 
manufacturer commonly known as Microsoft Dot Com [screenshot: 
http://www.malware.com/havefaith.png 15KB]. In fact this peculiar 
method and remedy of participating in the World Wide Web is 
recommended by the brains behind the the manufacturer commonly known 
as Microsoft Dot Com.

Now what:

There is a small yet critical bug in the mailing list software 
called LISTSERV from http://www.lsoft.com/.  A trivial yet important 
ability to effect the common so-called 'cross site scripting' [see: 
http://www.cert.org/advisories/CA-2000-02.html] 'malicious html tag 
embedding in client web requests':

Microsoft.com uses the mailing list software called LISTSERV. So do 
some 300,000 combined public and local others [Note: These numbers 
do not include Intranet servers]. Banks. Governments. Schools etc  
[see: http://www.lsoft.com/customer/clientlist.asp].

So:

So what that means is if we 'trust' our government, or trust our 
bank or our school or even our software 'manufacturer', we are 
advised to place everyone else in the 'restricted zone' and our 
trusted sites in the 'trusted zone' where:  'minimal safeguards and 
prompts are provided...most content is downloaded and run without 
prompts'.

Example:

http://discuss.microsoft.com/SCRIPTS/WA-MSD.EXE?A0=<IMG%
20SRC=javascript:document['write'](location)>&T=malware is in the 
zone<object>

http://lists.state.gov/SCRIPTS/WA-USIAINFO.EXE?
A1=<img>ind0312d&L=dosback

http://demo.lsoft.com/Scripts/wa-demo.exe?A1=ind9807&L=demo<img>

What that means is we can install via 
<object classid="" codebase=""> any executable file from within the 
same domain as we see fit. The same domain in the so-called 'Trusted 
Site' zone that is.  Be it *.gov. *.microsoft.com, *.edu et cetera.

Technically our codebase cannot point to a remote site outside the 
zone as it will be cached in the Temporary Internet File [TIF] and 
will prompt for install as that remote site is in the Internet Zone. 
However, theoretically we can play havoc within our *.gov and .edu 
domains on one another.  More importantly, we might very well be 
able to write our entire Self-Executing HTML file into all of these 
domains:

MIME-Version: 1.0
Content-Location:fi le:///m alware.exe
Content-Transfer-Encoding: base64

TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+
zBqcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB5AAA
AngAAAAAAAAAAAAAAAAA=/www.malware.com/ /
<o bjec t CLAS SID="CLSID:5 5 5 5 5 5 5 5 - 5 5 5 5" 
code base="mhtml:'+path+'">

In which case the entire package will cached in the TIF under the 
disguise of a so-called 'TRUSTED ZONE' !

Don't trust us. Trust them.

[***less than premium advertising space: your ad here for a nominal 
monthly fee contact sales@malware.com***]

Happy New Year and be safe out there. It's not what it all seems.


End Call


-- 
http://www.malware.com







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC