From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 13 Dec 2005 17:30:57 +0200
Subject: [NT] Lyris ListManager Multiple SQL Injection, information Disclosure and Authentication Bypassing
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051213170702.1502D5AB2@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Lyris ListManager Multiple SQL Injection, information Disclosure and
Authentication Bypassing
------------------------------------------------------------------------
SUMMARY
" <http://www.lyris.com/products/listmanager/index.html>; Lyris
ListManager, is the world's most popular software solution for managing
and growing in-house email lists, as well as creating highly effective
email campaigns, newsletters, and discussion groups."
Lack of proper input validation with Lyris ListManager allows attackers to
perform SQL Injection, see information and bypass authentication.
DETAILS
Vulnerable Systems:
* Lyris ListManager version 5.x
* Lyris ListManager version 6.x
* Lyris ListManager version 7.x
* Lyris ListManager version 8.x
Immune Systems:
* Lyris ListManager version 8.9b
The Lyris ListManager software provides HTTP, SMTP, and NNTP services for
the Linux, Windows, and Solaris platforms. The web interface uses an
embedded version of the TCLHTTPd web server and the administrative tools
are web applications written in the TCL scripting language.
New Subscription Administrative Command Injection:
The web interface for subscribing a new user to a mailing list
(/subscribe/subscribe), accepts a list password parameter (pw). This
password parameter is checked for spaces, but is otherwise not sanitized
before being placed into a buffer. This buffer is inserted into the
processing queue as a new, authenticated command message. It is possible
to use %0A%0D sequences, in combination with a line wrap feature in the
command processing engine, to execute arbitrary list administration
commands. This flaw has not been fixed in the current version (v8.9b).
Read Message Attachment SQL Injection:
It is possible to execute arbitrary queries against the blackened database
by requesting a URL in the following format:
/read/attachment/1;DELETE+FROM+TABLENAME;--/3. Depending on the database
type, it may be possible to gain remote access to the system through this
flaw. This flaw has been fixed in the latest version (8.9b).
Multiple 'orderby' Parameter SQL Injection Flaws:
It is possibly to supply a SQL "ORDER BY" column to almost every list of
items displayed in the web interface. The code which processes this field
checks for space and tab characters, but each of the supported databases
allow other forms of whitespace, When using the MSSQL/MSDE backend, it is
possible to access the xp_cmdshell stored procedure by using newline
characters as whitespace and substituting spaces with ASCII 0xFF in the
cmd.exe string (the command interpreter treats 0xFF as a space). There are
many other ways to exploit this, depending on the database type. This flaw
has been fixed in the latest version (8.9b).
MSDE Weak 'sa' Account Password:
The MSDE version of the ListManager installer uses a static password of
'lminstall' for the 'sa' user account during the installation process.
After the installer finishes, the password is permanently set to 'lyris'
followed by a 1 to 5 digit number. This number appears to be the process
ID of the installer. This password is trivial to find with a brute-force
attack and can lead an immediate system compromise. This flaw has not been
fixed in the current version (v8.9b).
TCLHTTPd Status Module Information Disclosure:
Some versions of the ListManager software allow requests to the "status"
module (/status/) included with TCLHTTPd. This module returns detailed
information about the server configuration. This flaw has been fixed in
the latest version (8.9b).
TCLHTTPd %00 TML Source Disclosure:
The TCLHTTPd service included with the Lyris ListManager product uses
'.tml' files to store server-side TCL code. It is possible to view the
source of any TML script by appending a url-encoded NULL byte to the
request (/read/.tml%00). The server may request authentication, but this
can be bypassed by specifying a any username ending in the @ character in
conjunction with a bogus password. This flaw has been fixed in the latest
version (8.9b).
Error Message Information Disclosure:
Older versions of the ListManager software, such as v8.5, place the entire
CGI environment into a hidden variable ('env') when a non-existent page is
requested. This environment contains the software version and the
directory path to the ListManager installation. Newer versions, such as
v8.8, no longer dump the environment on 404 responses, but they do provide
detailed diagnostic information when an error occurs in a TML script. Many
of TML scripts can be accessed without authentication and disclose
information such as the installation path, software version, and often
times SQL queries and code blocks. An example URL that reproduces the
problem is: /read/rss?forum=404. This flaw has not been fixed in the
current version (v8.9b).
ADDITIONAL INFORMATION
The information has been provided by <mailto:sflist@digitaloffense.net.> H
D Moore.
The original article can be found at:
<http://metasploit.com/research/vulns/lyris_listmanager/>;
http://metasploit.com/research/vulns/lyris_listmanager/
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
