Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

lyris-listmanager.txt

🗓️ 14 Dec 2005 00:00:00Reported by H D MooreType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 46 Views

Lyris ListManager Multiple Flaws, SQL injection, code disclosure, authentication bypass, Linux, Solaris, Windows, PostgreSQL, Oracle, MSSQL/MSDE, Metasploit, H D Moore, HTTP, SMTP, NNTP, TCLHTTPd, TCL scripting language, new subscription command injection, read message attachment SQL injection, multiple orderby parameter SQL injection, MSDE weak sa account passwor

Code
`  
Title:  
Lyris ListManager Multiple Flaws  
Release Date:  
December 8, 2005  
Patch Date:  
Unknown (v8.9b resolves most issues)  
Reported Date:  
June 21, 2005  
Vendor:  
Lyris  
Systems Affected:  
Lyris ListManager v5.0-8.8a (most flaws)  
  
Summary:  
The Lyris ListManager software is vulnerable to numerous SQL injection,  
source code dislosure, and authentication bypass flaws. The ListManager  
software runs on Linux, Solaris, and Windows and can be configured to  
use one of the following database backends: PostgreSQL, Oracle, and  
MSSQL/MSDE. These flaws can be used to gain complete access to the  
ListManager data and often the host server itself.  
  
Vendor Status:  
No communication has been received from the vendor since June 24, 2005.  
Although most of the flaws have been fixed in the latest version, a  
handful of SQL injection flaws still exist. The vendor did not reply to  
a status request on November 21, 2005.  
  
Exploit Availability:  
A Metasploit Framework module has been developed for the Read Message  
Attachment SQL Injection flaw: lyris_attachment_mssql  
</projects/Framework/link.php?type=exploit&vers=2&name=lyris_attachment_mssql>.  
No code is required to exploit the other flaws.  
  
Researcher(s):  
H D Moore (hdm[at]metasploit.com)  
  
Vulnerability Details:  
The Lyris ListManager software provides HTTP, SMTP, and NNTP services  
for the Linux, Windows, and Solaris platforms. The web interface uses an  
embedded version of the TCLHTTPd web server and the administrative tools  
are web applications written in the TCL scripting language. A number of  
input validation flaws have been discovered in the TCL scripts, many of  
which can result in a complete compromise of the hosting system.  
  
New Subscription Administrative Command Injection <http://osvdb.org/21547>  
The web interface for subscribing a new user to a mailing list  
(/subscribe/subscribe), accepts a list password parameter (pw). This  
password parameter is checked for spaces, but is otherwise not sanitized  
before being placed into a buffer. This buffer is inserted into the  
processing queue as a new, authenticated command message. It is possible  
to use %0A%0D sequences, in combination with a line wrap feature in the  
command processing engine, to execute arbitrary list administration  
commands. This flaw has *not* been fixed in the current version (v8.9b).  
  
Read Message Attachment SQL Injection <http://osvdb.org/21548>  
It is possible to execute arbitrary queries against the backened  
database by requesting a URL in the following format:  
/read/attachment/1;DELETE+FROM+TABLENAME;--/3. Depending on the database  
type, it may be possible to gain remote access to the system through  
this flaw. This flaw has been fixed in the latest version (8.9b).  
  
Multiple 'orderby' Parameter SQL Injection Flaws <http://osvdb.org/21549>  
It is possibly to supply a SQL "ORDER BY" column to almost every list of  
items displayed in the web interface. The code which processes this  
field checks for space and tab characters, but each of the supported  
databases allow other forms of whitespace, When using the MSSQL/MSDE  
backend, it is possible to access the xp_cmdshell stored procedure by  
using newline characters as whitespace and substituting spaces with  
ASCII 0xFF in the cmd.exe string (the command interpreter treats 0xFF as  
a space). There are many other ways to exploit this, depending on the  
database type. This flaw has been fixed in the latest version (8.9b).  
  
MSDE Weak 'sa' Account Password <http://osvdb.org/21559>  
The MSDE version of the ListManager installer uses a static password of  
'lminstall' for the 'sa' user account during the installation process.  
After the installer finishes, the password is permanently set to 'lyris'  
followed by a 1 to 5 digit number. This number appears to be the process  
ID of the installer. This password is trivial to find with a brute-force  
attack and can lead an immediate system compromise. This flaw has *not*  
been fixed in the current version (v8.9b).  
  
TCLHTTPd Status Module Information Disclosure <http://osvdb.org/21550>  
Some versions of the ListManager software allow requests to the "status"  
module (/status/) included with TCLHTTPd. This module returns detailed  
information about the server configuration. This flaw has been fixed in  
the latest version (8.9b).  
  
TCLHTTPd %00 TML Source Disclosure <http://osvdb.org/21551>  
The TCLHTTPd service included with the Lyris ListManager product uses  
'.tml' files to store server-side TCL code. It is possible to view the  
source of any TML script by appending a url-encoded NULL byte to the  
request (/read/.tml%00). The server may request authentication, but this  
can be bypassed by specifying a any username ending in the @ character  
in conjunction with a bogus password. This flaw has been fixed in the  
latest version (8.9b).  
  
Error Message Information Disclosure <http://osvdb.org/21552>  
Older versions of the ListManager software, such as v8.5, place the  
entire CGI environment into a hidden variable ('env') when a  
non-existent page is requested. This environment contains the software  
version and the directory path to the ListManager installation. Newer  
versions, such as v8.8, no longer dump the environment on 404 responses,  
but they do provide detailed diagnostic information when an error  
occurrs in a TML script. Many of TML scripts can be accessed without  
authentication and dislose information such as the installation path,  
software version, and often times SQL queries and code blocks. An  
example URL that reproduces the problem is: /read/rss?forum=404. This  
flaw has *not* been fixed in the current version (v8.9b).  
  
Notes:  
Lyris was very reluctant to respond to these issues or communicate with  
us in any form.  
  
Last Update: Dec 08 2005  
Doc Version: 1.0  
References: OSVDB-21547 <http://osvdb.org/21547>  
OSVDB-21548 <http://osvdb.org/21548>  
OSVDB-21549 <http://osvdb.org/21549>  
OSVDB-21550 <http://osvdb.org/21550>  
OSVDB-21551 <http://osvdb.org/21551>  
OSVDB-21552 <http://osvdb.org/21552>  
OSVDB-21559 <http://osvdb.org/21559>  
  
  
  
  
Copyright © 2003-2005 metasploit.com  
msfdev[at]metasploit.com  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Dec 2005 00:00Current
7.4High risk
Vulners AI Score7.4
lyris listmanagersql injectioncode disclosureauthentication bypasslinuxsolariswindowspostgresqloraclemssql/msdemetasploith d moorehttpsmtpnntptclhttpdnew subscription command injectionread message attachmentmultiple orderby parametermsde weak sa account.
46