Lsoft ListServ 16 Cross Site Scripting

`============================================================  
FOREGROUND SECURITY, SECURITY ADVISORY 2012-001  
- Original release date: August 16, 2012  
- Discovered by: Jose Carlos de Arriba (Penetration Testing Team Lead at Foreground Security)  
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)  
- Twitter: @jcarriba  
- Severity: 4.3/10 (Base CVSS Score)  
============================================================  
  
I. VULNERABILITY  
-------------------------  
Lsoft ListServ v16 (WA revision R4241) Cross-Site Scripting (XSS) vulnerability (prior versions have not been checked but could be vulnerable too).  
  
II. BACKGROUND  
-------------------------  
LISTSERV launched the email list industry 25 years ago and remains the gold standard. Continuously developed to meet the latest demands, LISTSERV provides the power, reliability and enterprise-level performance you need to manage all of your opt-in email lists, including email newsletters, announcement lists, discussion groups and email communities.  
  
L-Soft is a pioneer in the fields of email list management software, email marketing software and email list hosting services. L-Soft's solutions are used for managing email newsletters, discussion groups, email communities and opt-in email marketing campaigns.  
  
III. DESCRIPTION  
-------------------------  
Lsoft ListServ v16 (WA revision R4241) presents a Cross-Site Scripting (XSS) vulnerability on the parameters 'SHOWTPL' in the web form page, due to an insufficient sanitization on user supplied data and encoding output.  
  
A malicious user could perform session hijacking or phishing attacks.  
  
IV. PROOF OF CONCEPT  
-------------------------  
http://www.example.com/SCRIPTS/WA.EXE?SHOWTPL=<script>alert(document.cookie)</script>  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker could perform session hijacking or phishing attacks.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Lsoft ListServ v16 - WA revision R4241 (prior or later versions have not been checked so could be affected).  
  
VII. SOLUTION  
-------------------------  
Fixed on WA revision r4276.  
  
VIII. REFERENCES  
-------------------------  
http://www.foregroundsecurity.com/  
http://www.painsec.com  
http://www.lsoft.com/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
- August 16, 2012: Initial release.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
August 8, 2012: Vulnerability discovered by Jose Carlos de Arriba.  
August 8, 2012: Vendor contacted by email.  
August 9, 2012: Response from vendor asking for details and security advisory sent to it.  
August 15, 2012: Security advisory sent to vendor.  
August 15, 2012: Response from vendor with a new WA revision (r4276) with bug fixed.  
August 16, 2012: Security advisory released  
  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
  
  
Jose Carlos de Arriba, CISSP  
Penetration Testing Team Lead  
Foreground Security  
www.foregroundsecurity.com  
jcarriba (a t) foregroundsecurity (d o t ) com  
  
`