Lyris ListManager Read Message Attachment SQL Injection

2005-12-08T20:43:11
ID OSVDB:21548
Type osvdb
Reporter H D Moore(fdlist@digitaloffense.net)
Modified 2005-12-08T20:43:11

Description

Vulnerability Description

Lyris ListManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the read message attachment function not properly sanitizing user-supplied input to the attachment URL. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Upgrade to version 8.9b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Lyris ListManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the read message attachment function not properly sanitizing user-supplied input to the attachment URL. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Manual Testing Notes

/read/attachment/1;DELETE+FROM+TABLENAME;--/3

References:

Vendor URL: http://www.lyris.com/products/ Secunia Advisory ID:17943 Other Advisory URL: http://metasploit.com/research/vulns/lyris_listmanager/ Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0349.html FrSIRT Advisory: ADV-2005-2820 CVE-2005-4143 Bugtraq ID: 15787