SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   LISTSERV Vendors:   L-Soft
(Vendor Issues Fix for Windows Platforms) L-Soft LISTSERV Input Validation Flaw in WA.EXE Management Interface May Permit Cross-Site Scripting Attacks Against List Administrators
SecurityTracker Alert ID:  1008560
SecurityTracker URL:  http://securitytracker.com/id/1008560
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 27 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   An input validation vulnerability was reported in L-Soft's LISTSERV mailing list software. A remote user can conduct cross-site scripting attacks against administrators.

http-equiv reported that the WA.EXE management interface does not properly filter HTML code from user-supplied input in some of the script parameters before displaying information based on the user-supplied input.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LISTSERV software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/Scripts/wa-demo.exe?A1=ind9807&L=demo%3Cimg%3E

[Editor's note: The demonstration URL worked as of the time of the original posting on a site operated by L-Soft, but appears to have been corrected since then.]

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LISTSERV software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   A fix is available for Windows platforms, available at:

ftp://ftp.lsoft.com/listserv/windows/wa.exe

The vendor plans to issue fixes for other platforms in the future.

Vendor URL:  www.lsoft.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Dec 27 2003 L-Soft LISTSERV Input Validation Flaw in WA.EXE Management Interface May Permit Cross-Site Scripting Attacks Against List Administrators



 Source Message Contents

Subject:  Re: DANGER ZONE: Internet Explorer


On Fri, 26 Dec 2003 17:02:24 -0000, "http-equiv@excite.com" <1@MALWARE.COM>
wrote:

>There is a small yet critical bug in the mailing list software
>called LISTSERV from http://www.lsoft.com/.  A trivial yet important
>ability to effect the common so-called 'cross site scripting' [see:
>http://www.cert.org/advisories/CA-2000-02.html] 'malicious html tag
>embedding in client web requests':

A fix has been made available to correct this.  Windows users only (a great
many of our customers) may now download the fixed cgi script from our FTP
site:

  ftp://ftp.lsoft.com/listserv/windows/wa.exe

A revised WA cgi script for LISTSERV users on running other platforms (various
flavors of unix and openVMS) is forthcoming.  Testing on 10+ operating systems
takes a while, sorry.  A general public announcement about the nature of the
exposure and the fix will be made by L-Soft once testing on all platforms is
completed and the updated versions are available.

>Example:
>
[examples deleted to save space]

None of the given LISTSERV examples will work anymore (generally, a CGI
parameter error is returned).  The wa.exe cgi script on all these sites (and
also on the LISTSERV.NTBUGTRAQ.COM site itself) has been updated with the
fixed build of wa.exe.

Kind Regards,
____________________________________________________________________
 Ben Parker      Chief Corporate Consultant        bparker@lsoft.com
 The Training & Consulting Group                consulting@lsoft.com
 L-Soft international, Inc.                     http://www.lsoft.com
           http://www.lsoft.com/products/default.asp?item=consulting

-----
Editor's Note: The 43rd Most Powerful Person in Networking says...

Wondering as to whether the list is running? The NTBugtraq archives are updated first before messages are emailed to subscribers.
 Check the archives first to see if you have missed any messages;

http://www.ntbugtraq.com/archives

-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC