Lyris ListManager Multiple ORDERBY SQL Injection Flaws

2005-12-08T20:44:32
ID OSVDB:21549
Type osvdb
Reporter H D Moore(fdlist@digitaloffense.net)
Modified 2005-12-08T20:44:32

Description

Vulnerability Description

Lyris ListManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the multiple scripts not properly sanitizing user-supplied input to lists of items. By providing newlines in conjunction with whitespace and ASCII 0xFF characters, an attacker can access the xp_cmdshell stored procedure. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Upgrade to version 8.9b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Lyris ListManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the multiple scripts not properly sanitizing user-supplied input to lists of items. By providing newlines in conjunction with whitespace and ASCII 0xFF characters, an attacker can access the xp_cmdshell stored procedure. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.lyris.com/products/ Secunia Advisory ID:17943 Other Advisory URL: http://metasploit.com/research/vulns/lyris_listmanager/ Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0349.html FrSIRT Advisory: ADV-2005-2820 CVE-2005-4144 Bugtraq ID: 15787