(Vendor Issues Fix for Windows Platforms) L-Soft LISTSERV Input Validation Flaw in WA.EXE Management Interface May Permit Cross-Site Scripting Attacks Against List Administrators
SecurityTracker Alert ID: 1008560|
SecurityTracker URL: http://securitytracker.com/id/1008560
(Links to External Site)
Date: Dec 27 2003
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
An input validation vulnerability was reported in L-Soft's LISTSERV mailing list software. A remote user can conduct cross-site scripting attacks against administrators.|
http-equiv reported that the WA.EXE management interface does not properly filter HTML code from user-supplied input in some of the script parameters before displaying information based on the user-supplied input.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LISTSERV software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
[Editor's note: The demonstration URL worked as of the time of the original posting on a site operated by L-Soft, but appears to have been corrected since then.]
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LISTSERV software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A fix is available for Windows platforms, available at:|
The vendor plans to issue fixes for other platforms in the future.
Vendor URL: www.lsoft.com/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (NT), Windows (2000), Windows (XP)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Re: DANGER ZONE: Internet Explorer|
On Fri, 26 Dec 2003 17:02:24 -0000, "firstname.lastname@example.org" <1@MALWARE.COM>
>There is a small yet critical bug in the mailing list software
>called LISTSERV from http://www.lsoft.com/. A trivial yet important
>ability to effect the common so-called 'cross site scripting' [see:
>http://www.cert.org/advisories/CA-2000-02.html] 'malicious html tag
>embedding in client web requests':
A fix has been made available to correct this. Windows users only (a great
many of our customers) may now download the fixed cgi script from our FTP
A revised WA cgi script for LISTSERV users on running other platforms (various
flavors of unix and openVMS) is forthcoming. Testing on 10+ operating systems
takes a while, sorry. A general public announcement about the nature of the
exposure and the fix will be made by L-Soft once testing on all platforms is
completed and the updated versions are available.
[examples deleted to save space]
None of the given LISTSERV examples will work anymore (generally, a CGI
parameter error is returned). The wa.exe cgi script on all these sites (and
also on the LISTSERV.NTBUGTRAQ.COM site itself) has been updated with the
fixed build of wa.exe.
Ben Parker Chief Corporate Consultant email@example.com
The Training & Consulting Group firstname.lastname@example.org
L-Soft international, Inc. http://www.lsoft.com
Editor's Note: The 43rd Most Powerful Person in Networking says...
Wondering as to whether the list is running? The NTBugtraq archives are updated first before messages are emailed to subscribers.
Check the archives first to see if you have missed any messages;