|
|
>> Lyris ListManager SQL Injection and Information Disclosure Issues
|
Multiple vulnerabilities were identified in Lyris ListManager, which could be exploited by remote attackers to gain unauthorized access, disclose sensitive information and conduct SQL injection attacks.
The first issue is due to an input validation error in the web interface that does not properly validate the "pw" parameter when subscribing a new user ("subscribe/subscribe"), which could be exploited by remote attackers to execute arbitrary list administration commands.
The second flaw is due to an input validation error in the "/read/attachment" script, which may be exploited by malicious people to conduct SQL injection attacks.
The third vulnerability is due to input validation errors in various scripts that do not properly validate certain parameters before being passed to the "ORDER BY" command, which may be exploited by malicious people to conduct SQL injection attacks.
The fourth flaw is due to a design error where the embedded MSDE version is accessible via a weak password ("lyris" string followed by a 1 to 5 digit number), which could be exploited by remote attackers to mount brute force attacks and guess the password.
The fifth vulnerability resides in the "status" module of the TCLHTTPd service, which could be exploited by attackers to gain knowledge of sensitive information.
The sixth issue is due to an error in TCLHTTPd service when processing HTTP requests containing specially crafted characters, which may be exploited by attackers to display the source code of arbitrary pages instead of an expected HTML response.
The seventh flaw is due to an error where the entire CGI environment is placed into a hidden HTML variable ("env") of the error page when a non-existent page is requested, which could be exploited by remote attackers to gain knowledge of sensitive information (e.g. software version).
Affected Products
Lyris ListManager versions 5.0 through 8.8a
Solution
Upgrade to Lyris ListManager version 8.9b.
Note : Vulnerabilities #1, #4 and #7 have not been fixed in version 8.9b.
References
http://www.vupen.com/english/advisories/2005/2820
http://metasploit.com/research/vulns/lyris_listmanager/
Credits
Vulnerabilities reported by H D Moore
ChangeLog
2005-12-09 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
