TITLE: Lyris ListManager Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA17943
VERIFY ADVISORY: http://secunia.com/advisories/17943/
CRITICAL: Less critical
IMPACT: Manipulation of data, Exposure of system information, Privilege escalation
WHERE: >From remote
SOFTWARE: Lyris ListManager 7.x http://secunia.com/product/1390/ Lyris ListManager 6.x http://secunia.com/product/1380/ Lyris ListManager 5.x http://secunia.com/product/1381/ Lyris ListManager 8.x http://secunia.com/product/6419/
DESCRIPTION: H D Moore has reported some vulnerabilities in Lyris ListManager, which be exploited by malicious users to perform certain actions with escalated privileges or to conduct SQL injection attacks, and by malicious people to disclose certain system information.
1) Input passed to the "pw" parameter in the web interface for subscribing a new user to the mailing list isn't properly sanitised before being inserted into the processing queue as a command message. This can be exploited to execute arbitrary list administration commands via specially crafted input containing %0A%0D sequences.
2) Input passed to "/read/attachment" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3) Input passed to certain parameters isn't properly sanitised before being used as column name to the ORDER BY command in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The MSDE version of ListManager uses a weak default password for the database after installation. The password is reportedly set to "lyris" followed by a 1 to 5 digit number. This password can potentially be derived by a brute-force attack.
5) Certain versions of ListManager allows access to the "status" module of the TCLHTTPd service. This can be exploited to reveal detailed information about the server configuration.
6) An error in the TCLHTTPd service can be exploited to view the source of arbitrary TML scripts on the server by appending a URL encoded NULL byte to the request (e.g. /read/.tml%00).
7) The entire CGI environment is included into a HTML hidden variable of the error page when a non-existent page is requested. This potentially reveals information of the software version and the installation path.
The vulnerabilities have been reported in versions 5.0 through 8.8a.
Note: It has also been reported that the error message that is generated when an error occurs in a TML script reveals certain information such as the installation path, software version, SQL queries and certain code blocks.
SOLUTION: Vulnerabilities #2, #3, #5, #6, and #7 has reportedly been fixed in version 8.9b.
PROVIDED AND/OR DISCOVERED BY: H D Moore
ORIGINAL ADVISORY: http://metasploit.com/research/vulns/lyris_listmanager/
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.