Secunia

Some weaknesses and some vulnerabilities have been reported in Lyris ListManager, which can be exploited by malicious people to disclose system information and conduct cross-site scripting or cross-site request forgery attacks.

1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. initiate a file upload to another site when a logged-in administrator visits a malicious web page.

2) Input passed to various parameters in various scripts (e.g. the "page" parameter in read/attach_file.tml, read/attachment_too_large.tml, and read/confirm_file_attach.tml, to the "emailaddr" parameter in read/login/ndex.tml and read/login/sent_password.tml, the "list" parameter in subscribe/subscribe, and the "max" parameter in utilities/db/showsql) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Certain error messages include system information (e.g. the path to the web root directory or ListManager and SQL server versions).

4) Different messages are returned depending on whether a password recovery attempt is performed with a valid or invalid username. This can be exploited to identify valid usernames via multiple password recovery attempts.

Solution
Filter malicious characters and character sequences using a proxy. Do not visit other web sites while being logged-in to ListManager.

Provided and/or discovered by
Richard Brain and Adrian Pastor, ProCheckUp Ltd

Original Advisory
http://www.procheckup.com/vulnerability_manager/documents/document_1254179990_572/New_Listmanager_paper_v2.pdf

Deep Links
Links available in Customer Area