Secunia

H D Moore has reported some vulnerabilities in Lyris ListManager, which can be exploited by malicious users to perform certain actions with escalated privileges or to conduct SQL injection attacks, and by malicious people to disclose certain system information.

1) Input passed to the "pw" parameter in the web interface for subscribing a new user to the mailing list isn't properly sanitised before being inserted into the processing queue as a command message. This can be exploited to execute arbitrary list administration commands via specially crafted input containing %0A%0D sequences.

2) Input passed to "/read/attachment" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) Input passed to certain parameters isn't properly sanitised before being used as column name to the ORDER BY command in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) The MSDE version of ListManager uses a weak default password for the database after installation. The password is reportedly set to "lyris" followed by a 1 to 5 digit number. The number is derived from the size of the disk partition in MB. This password can potentially be derived by a brute-force attack.

5) Certain versions of ListManager allows access to the "status" module of the TCLHTTPd service. This can be exploited to reveal detailed information about the server configuration.

6) An error in the TCLHTTPd service can be exploited to view the source of arbitrary TML scripts on the server by appending a URL encoded NULL byte to the request (e.g. /read/.tml%00).

7) The entire CGI environment is included into a HTML hidden variable of the error page when a non-existent page is requested. This potentially reveals information of the software version and the installation path.

The vulnerabilities have been reported in versions 5.0 through 8.8a.

Note: It has also been reported that the error message that is generated when an error occurs in a TML script reveals certain information such as the installation path, software version, SQL queries and certain code blocks.

Solution
Vulnerabilities #2, #3, #5, #6, and #7 have reportedly been fixed in version 8.9b.
Further details available in Customer Area

Provided and/or discovered by
H D Moore

Additional information on Vulnerability #4 by:
zombie91836

Changelog
Further details available in Customer Area

Original Advisory
http://metasploit.com/research/vulns/lyris_listmanager/

Deep Links
Links available in Customer Area