[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Lyris ListManager 8.95: Add arbitrary
From: Design Properly <designsoftwareproperly () yahoo ! com>
Date: 2006-08-31 4:14:27
Message-ID: 20060831041427.10614.qmail () web58311 ! mail ! re3 ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/
Overview of Product:
"Lyris ListManager is the world's most popular software for creating, sending, and tracking \
highly effective email campaigns, newsletters, and discussion groups." \
http://www.lyris.com/products/index.html
Details of this Vulnerability:
A design flaw in ListManager's web-based administrative interface allows anyone who is an \
administrator of a list on the server to add an arbitrary user as an administrator to any other \
list hosted on the same server. Specifically, the form one fills out to add an administrator \
contains a hidden form field with the name of the list to which the administrator will be \
added. By changing this value and submitting the form (using tools like TamperData for \
FireFox), you can add an arbitrary user as an administrator for an arbitrary list.
Here is a sample of these hidden form fields:
<!-- START OF - save cgi variables in hidden fields -->
<input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
<input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
<input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 20:20:32">
<input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
<input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
<input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]">
<input type="hidden" name="MEMBERS_.MailFormat_" value="M">
<input type="hidden" name="MEMBERS_.MemberType_" value="normal">
<input type="hidden" name="MEMBERS_.NoRepro_" value="F">
<input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
<input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
<input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
<input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
<input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
<input type="hidden" name="MEMBERS_.SubType_" value="mail">
<input type="hidden" name="current_tab" value="Basics">
<input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ \
MemberType_ SubType_ Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ \
Additional_ ReceiveAck_ NumAppNeed_ List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ \
DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ \
RcvAdmMail_ NotifySubm_"> <input type="hidden" name="table_in_memory" value="MEMBERS_">
Further Work:
Yesterday I was trying to add a user whose name contained a single-quote, e.g. "O'Conner." \
Frequently, as I navigated the web interface, I received SQL errors that printed a large \
portion of the SQL query along with details about what failed. I'm sure there's SQL injection \
possibilities here as well, I just don't have time to explore. And where there are SQL \
injection opportunities, there's often opportunities for JavaScript injection.
Recommendations to those using ListManager:
The risk of this issue to your organization is directly tied to how many administrators you \
have on your mailing list server, how much you can really trust them, and the value of your \
mailing lists. That is, a company that has five administrators for a public list shouldn't \
care. However, if you've got a lot of administrators and a few lists whose discussions would \
be worth intercepting or disrupting, you're at high-risk for abuse as a result of this \
vulnerability. Until the vendor solves this and other issues, you're going to have to have a \
high level of trust in the people administering your lists, or use a different mailing list \
server.
Best of luck.
---------------------------------
Want to be your own boss? Learn how on Yahoo! Small Business.
[Attachment #5 (text/html)]
Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list<br>Release \
Date: 2006-08-30<br>Application: Lyris ListManager 8.95<br>Risk: Depends upon your use and \
business context<br>Vendor site: http://www.lyris.com/<br><br>Overview of \
Product:<br> "Lyris ListManager is the world's most popular software for \
creating, sending, and tracking highly effective email campaigns, newsletters, and discussion \
groups." http://www.lyris.com/products/index.html<br><br>Details of this \
Vulnerability:<br> A design flaw in ListManager's web-based administrative \
interface allows anyone who is an administrator of a list on the server to add an arbitrary \
user as an administrator to any other list hosted on the same server. Specifically, the \
form one fills out to add an administrator contains a hidden form field with the name of the \
list to which the administrator will be added. By changing this value and submitting the \
form (using tools like TamperData for FireFox), you can add an arbitrary user as an \
administrator for an arbitrary list.<br><br> Here is a sample of these hidden \
form fields:<br><br> <!-- START OF - save cgi variables in hidden fields \
--><br> <input type="hidden" name="MEMBERS_.AppNeeded_" \
value="F"><br> <input type="hidden" name="MEMBERS_.CleanAuto_" \
value="F"><br> <input type="hidden" name="MEMBERS_.DateJoined_" \
value="2006-08-30 20:20:32"><br> <input type="hidden" \
name="MEMBERS_.EnableWYSIWYG_" value="T"><br> <input type="hidden" \
name="MEMBERS_.IsListAdm_" value="T"><br> <input type="hidden" \
name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]"><br> <input \
type="hidden" name="MEMBERS_.MailFormat_" value="M"><br> <input \
type="hidden" name="MEMBERS_.MemberType_" value="normal"><br> <input \
type="hidden" name="MEMBERS_.NoRepro_" value="F"><br> <input \
type="hidden" name="MEMBERS_.NotifySubm_" value="T"><br> <input \
type="hidden" name="MEMBERS_.NumAppNeed_" value="0"><br> <input \
type="hidden" name="MEMBERS_.RcvAdmMail_" value="T"><br> <input \
type="hidden" name="MEMBERS_.ReadsHtml_" value="F"><br> <input \
type="hidden" name="MEMBERS_.ReceiveAck_" value="F"><br> <input \
type="hidden" name="MEMBERS_.SubType_" value="mail"><br> <input \
type="hidden" name="current_tab" value="Basics"><br> <input \
type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ \
MemberType_ SubType_ Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ \
Additional_ ReceiveAck_ NumAppNeed_ List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ \
DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ \
RcvAdmMail_ NotifySubm_"><br> <input type="hidden" \
name="table_in_memory" value="MEMBERS_"><br><br>Further Work:<br> \
Yesterday I was trying to add a user whose name contained a single-quote, e.g. \
"O'Conner." Frequently, as I navigated the web interface, I received SQL errors that \
printed a large portion of the SQL query along with details about what failed. I'm sure \
there's SQL injection possibilities here as well, I just don't have time to explore. And \
where there are SQL injection opportunities, there's often opportunities for JavaScript \
injection.<br><br>Recommendations to those using ListManager:<br> The risk of \
this issue to your organization is directly tied to how many administrators you have on your \
mailing list server, how much you can really trust them, and the value of your mailing \
lists. That is, a company that has five administrators for a public list shouldn't \
care. However, if you've got a lot of administrators and a few lists whose discussions \
would be worth intercepting or disrupting, you're at high-risk for abuse as a result of this \
vulnerability. Until the vendor solves this and other issues, you're going to have to \
have a high level of trust in the people administering your lists, or use a different mailing \
list server. <br> <br>Best of luck.<br><p> 
<hr size=1>Want to be your own boss? Learn how on <a \
href="http://us.rd.yahoo.com/evt=41244/*http://smallbusiness.yahoo.com/r-index"> Yahoo! Small \
Business.</a>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic