|
|
|
|
| |
"Lyris ListManager, is the world's most popular software solution for managing and growing in-house email lists, as well as creating highly effective email campaigns, newsletters, and discussion groups."
Lack of proper input validation with Lyris ListManager allows attackers to perform SQL Injection, see information and bypass authentication. |
| |
Credit:
The information has been provided by H D Moore.
The original article can be found at: http://metasploit.com/research/vulns/lyris_listmanager/
|
| |
Vulnerable Systems:
* Lyris ListManager version 5.x
* Lyris ListManager version 6.x
* Lyris ListManager version 7.x
* Lyris ListManager version 8.x
Immune Systems:
* Lyris ListManager version 8.9b
The Lyris ListManager software provides HTTP, SMTP, and NNTP services for the Linux, Windows, and Solaris platforms. The web interface uses an embedded version of the TCLHTTPd web server and the administrative tools are web applications written in the TCL scripting language.
New Subscription Administrative Command Injection:
The web interface for subscribing a new user to a mailing list (/subscribe/subscribe), accepts a list password parameter (pw). This password parameter is checked for spaces, but is otherwise not sanitized before being placed into a buffer. This buffer is inserted into the processing queue as a new, authenticated command message. It is possible to use %0A%0D sequences, in combination with a line wrap feature in the command processing engine, to execute arbitrary list administration commands. This flaw has not been fixed in the current version (v8.9b).
Read Message Attachment SQL Injection:
It is possible to execute arbitrary queries against the blackened database by requesting a URL in the following format: /read/attachment/1;DELETE+FROM+TABLENAME;--/3. Depending on the database type, it may be possible to gain remote access to the system through this flaw. This flaw has been fixed in the latest version (8.9b).
Multiple 'orderby' Parameter SQL Injection Flaws:
It is possibly to supply a SQL "ORDER BY" column to almost every list of items displayed in the web interface. The code which processes this field checks for space and tab characters, but each of the supported databases allow other forms of whitespace, When using the MSSQL/MSDE backend, it is possible to access the xp_cmdshell stored procedure by using newline characters as whitespace and substituting spaces with ASCII 0xFF in the cmd.exe string (the command interpreter treats 0xFF as a space). There are many other ways to exploit this, depending on the database type. This flaw has been fixed in the latest version (8.9b).
MSDE Weak 'sa' Account Password:
The MSDE version of the ListManager installer uses a static password of 'lminstall' for the 'sa' user account during the installation process. After the installer finishes, the password is permanently set to 'lyris' followed by a 1 to 5 digit number. This number appears to be the process ID of the installer. This password is trivial to find with a brute-force attack and can lead an immediate system compromise. This flaw has not been fixed in the current version (v8.9b).
TCLHTTPd Status Module Information Disclosure:
Some versions of the ListManager software allow requests to the "status" module (/status/) included with TCLHTTPd. This module returns detailed information about the server configuration. This flaw has been fixed in the latest version (8.9b).
TCLHTTPd %00 TML Source Disclosure:
The TCLHTTPd service included with the Lyris ListManager product uses '.tml' files to store server-side TCL code. It is possible to view the source of any TML script by appending a url-encoded NULL byte to the request (/read/.tml%00). The server may request authentication, but this can be bypassed by specifying a any username ending in the @ character in conjunction with a bogus password. This flaw has been fixed in the latest version (8.9b).
Error Message Information Disclosure:
Older versions of the ListManager software, such as v8.5, place the entire CGI environment into a hidden variable ('env') when a non-existent page is requested. This environment contains the software version and the directory path to the ListManager installation. Newer versions, such as v8.8, no longer dump the environment on 404 responses, but they do provide detailed diagnostic information when an error occurs in a TML script. Many of TML scripts can be accessed without authentication and disclose information such as the installation path, software version, and often times SQL queries and code blocks. An example URL that reproduces the problem is: /read/rss?forum=404. This flaw has not been fixed in the current version (v8.9b).
|
|
|
|
|
