Date: Sun, 20 Sep 1998 01:40:16 -0400
From: Jimmy Lee Alderson <[email protected]>
To: [email protected]Subject: Vulnerability in Lyris Listserver
The following is associated with a post to NTbugtraq. The original post
vaguely describes a security problem inherent in a popular server. I
recently found this problem on my own, and was going to post. But since it
has already been posted I have decided to post it to bugtraq, with some
value added. I have included the original afer my signature.
The web interface for the Lyris listserver is a perl based script located
in the /cgi-bin/ directory on a web server by default. This server
contains a vulnerability that allows access at any of the three levels of
admin that Lyris allows.
List Admin: Manages a particular list on a server.
Site Admin: Manages a the entire group of lists.
Server Admin: Manages the entire server.
Server admin is the most interesting because it allows you to specify a
command that should be executed either prior to or after processing mail
sent to the listserver. This allows a remote attacker to execute
arbitrary commands on the remote system as the user the list server is
running as.
(See the original post below for the fix information)
Jimmy Alderson
-------original post below-------------
Hello all: I've been trading email with list-manager Russ, and he
suggested I post a message to this list.
A few weeks ago, we (the makers of the Lyris List Server) were informed
by one of our users of a potential security vulnerability in the web
interface of our program. While we haven't had any reports of the
vulnerability being exploited at any of our customer's sites, we did
replicate the problem and confirm that the vulnerability existed.
At the time, we made a patch fix available which could be applied to the
current (2.54) and beta (2.548) release versions. Then, we released a
v3.0 beta version of Lyris, which had the bug fix.
A few days ago, we released Lyris v3.0 out of beta, as a release version.
This v3.0 release has the fix for the security vulnerability, as well as
other things as part of the new version.
We're recommending that any site running any version of Lyris upgrade to
this v3.0 release. There is no charge to upgrade, and the upgrade program
will preserve all current settings.
Lyris v3.0 can be downloaded from here: http://www.lyris.com/down/
If you don't know what Lyris List Server is, you may be interested in
this 3rd party review on Forrest Stroud's "ServerWatch" web site:
http://serverwatch.internet.com/listreview-lyris.html
Obviously, we've announced these security concerns, and the fixes, to all
our existing user base. In my email exchange with Russ, he felt that the
NTBugTraq list would benefit from knowing about this update, and that's
the reason I'm posting this message.
John