|
Lyris ListManager Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA17943
|
|
|
Release Date:
|
2005-12-09
|
|
Last Update:
|
2005-12-13
|
|
Popularity:
|
8,301 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Manipulation of data
Exposure of system information
Privilege escalation
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Lyris ListManager 5.x
Lyris ListManager 6.x
Lyris ListManager 7.x
Lyris ListManager 8.x
|
|
|
Secunia CVSS-2 Score:
|
Available in Secunia business solutions 
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
| Advisory Content (Page 1 of 3) | [ 1 ] [ 2 ] [ 3 ] | |
|
Description:
H D Moore has reported some vulnerabilities in Lyris ListManager, which can be exploited by malicious users to perform certain actions with escalated privileges or to conduct SQL injection attacks, and by malicious people to disclose certain system information.
1) Input passed to the "pw" parameter in the web interface for subscribing a new user to the mailing list isn't properly sanitised before being inserted into the processing queue as a command message. This can be exploited to execute arbitrary list administration commands via specially crafted input containing %0A%0D sequences.
2) Input passed to "/read/attachment" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3) Input passed to certain parameters isn't properly sanitised before being used as column name to the ORDER BY command in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The MSDE version of ListManager uses a weak default password for the database after installation. The password is reportedly set to "lyris" followed by a 1 to 5 digit number. The number is derived from the size of the disk partition in MB. This password can potentially be derived by a brute-force attack.
5) Certain versions of ListManager allows access to the "status" module of the TCLHTTPd service. This can be exploited to reveal detailed information about the server configuration.
6) An error in the TCLHTTPd service can be exploited to view the source of arbitrary TML scripts on the server by appending a URL encoded NULL byte to the request (e.g. /read/.tml%00).
7) The entire CGI environment is included into a HTML hidden variable of the error page when a non-existent page is requested. This potentially reveals information of the software version and the installation path.
The vulnerabilities have been reported in versions 5.0 through 8.8a.
Note: It has also been reported that the error message that is generated when an error occurs in a TML script reveals certain information such as the installation path, software version, SQL queries and certain code blocks.
Change Page:
[ 1 ] [ 2 ] [ 3 ]
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
