SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list


Arrow  SecurityAlert : 1502
Arrow  CVE : CVE-2006-4546
Arrow  CVE : CVE-2006-4547
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Design Properly (designsoftwareproperly yahoo com)
Arrow  Published : 08.09.2006

Arrow  Affected Software : Lyris ListManager 8.95



Arrow  Advisory Content :  

Advisory: Lyris ListManager 8.95: Add arbitrary
administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
"Lyris ListManager is the world's most popular
software for creating, sending, and tracking highly
effective email campaigns, newsletters, and
discussion groups."
http://www.lyris.com/products/index.html

Details of this Vulnerability:
A design flaw in ListManager's web-based
administrative interface allows anyone who is an
administrator of a list on the server to add an
arbitrary user as an administrator to any other list
hosted on the same server. Specifically, the form
one fills out to add an administrator contains a
hidden form field with the name of the list to which
the administrator will be added. By changing this
value and submitting the form (using tools like
TamperData for FireFox), you can add an arbitrary
user as an administrator for an arbitrary list.

Here is a sample of these hidden form fields:

<!-- START OF - save cgi variables in hidden
fields -->
<input type="hidden" name="MEMBERS_.AppNeeded_"
value="F">
<input type="hidden" name="MEMBERS_.CleanAuto_"
value="F">
<input type="hidden" name="MEMBERS_.DateJoined_"
value="2006-08-30 20:20:32">
<input type="hidden"
name="MEMBERS_.EnableWYSIWYG_" value="T">
<input type="hidden" name="MEMBERS_.IsListAdm_"
value="T">
<input type="hidden" name="MEMBERS_.List_"
value="[INSERT TARGET LIST HERE]">
<input type="hidden" name="MEMBERS_.MailFormat_"
value="M">
<input type="hidden" name="MEMBERS_.MemberType_"
value="normal">
<input type="hidden" name="MEMBERS_.NoRepro_"
value="F">
<input type="hidden" name="MEMBERS_.NotifySubm_"
value="T">
<input type="hidden" name="MEMBERS_.NumAppNeed_"
value="0">
<input type="hidden" name="MEMBERS_.RcvAdmMail_"
value="T">
<input type="hidden" name="MEMBERS_.ReadsHtml_"
value="F">
<input type="hidden" name="MEMBERS_.ReceiveAck_"
value="F">
<input type="hidden" name="MEMBERS_.SubType_"
value="mail">
<input type="hidden" name="current_tab"
value="Basics">
<input type="hidden" name="fields_in_memory"
value="FullName_ AppNeeded_ PermissionGroupID_
MemberType_ SubType_ Password_ ExpireDate_ SubType_
CleanAuto_ NoRepro_ UserID_ Comment_ Additional_
ReceiveAck_ NumAppNeed_ List_ DateBounce_
ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_
DateUnsub_ DateJoined_ UserNameLC_ Domain_
EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_
NotifySubm_">
<input type="hidden" name="table_in_memory"
value="MEMBERS_">

Further Work:
Yesterday I was trying to add a user whose name
contained a single-quote, e.g. "O'Conner."
Frequently, as I navigated the web interface, I
received SQL errors that printed a large portion of
the SQL query along with details about what failed.
I'm sure there's SQL injection possibilities here as
well, I just don't have time to explore. And where
there are SQL injection opportunities, there's often
opportunities for JavaScript injection.

Recommendations to those using ListManager:
The risk of this issue to your organization is
directly tied to how many administrators you have on
your mailing list server, how much you can really
trust them, and the value of your mailing lists.
That is, a company that has five administrators for
a public list shouldn't care. However, if you've
got a lot of administrators and a few lists whose
discussions would be worth intercepting or
disrupting, you're at high-risk for abuse as a
result of this vulnerability. Until the vendor
solves this and other issues, you're going to have
to have a high level of trust in the people
administering your lists, or use a different mailing
list server.

Best of luck.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libopie __readrec() off-by-one

Security Risk Medium- 2010-04-23

This advisory is related to new FreeBSD advisory FreeBSD-SA-10:05.opie.
Apache RSS Apache Alert

» Apache ActiveMQ 5.4.0
   source code disclosure
   vulnerability

» Apache ActiveMQ 5.3.0
   Persistent Cross-Site
   Scripting

» Apache CouchDB 0.10.1
   Timing Attack
   Vulnerability

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.