Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14091
HistoryAug 31, 2006 - 12:00 a.m.

[Full-disclosure] Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list

2006-08-3100:00:00
vulners.com
7

Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
"Lyris ListManager is the world's most popular software for creating, sending, and tracking highly effective email campaigns, newsletters, and discussion groups." http://www.lyris.com/products/index.html

Details of this Vulnerability:
A design flaw in ListManager's web-based administrative interface allows anyone who is an administrator of a list on the server to add an arbitrary user as an administrator to any other list hosted on the same server. Specifically, the form one fills out to add an administrator contains a hidden form field with the name of the list to which the administrator will be added. By changing this value and submitting the form (using tools like TamperData for FireFox), you can add an arbitrary user as an administrator for an arbitrary list.

Here is a sample of these hidden form fields:

<!-- START OF - save cgi variables in hidden fields -->
<input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
<input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
<input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 20:20:32">
<input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
<input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
<input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]">
<input type="hidden" name="MEMBERS_.MailFormat_" value="M">
<input type="hidden" name="MEMBERS_.MemberType_" value="normal">
<input type="hidden" name="MEMBERS_.NoRepro_" value="F">
<input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
<input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
<input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
<input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
<input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
<input type="hidden" name="MEMBERS_.SubType_" value="mail">
<input type="hidden" name="current_tab" value="Basics">
<input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ MemberType_ SubType_ Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ Additional_ ReceiveAck_ NumAppNeed_ List_ DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_ NotifySubm_">
<input type="hidden" name="table_in_memory" value="MEMBERS_">

Further Work:
Yesterday I was trying to add a user whose name contained a single-quote, e.g. "O'Conner." Frequently, as I navigated the web interface, I received SQL errors that printed a large portion of the SQL query along with details about what failed. I'm sure there's SQL injection possibilities here as well, I just don't have time to explore. And where there are SQL injection opportunities, there's often opportunities for JavaScript injection.

Recommendations to those using ListManager:
The risk of this issue to your organization is directly tied to how many administrators you have on your mailing list server, how much you can really trust them, and the value of your mailing lists. That is, a company that has five administrators for a public list shouldn't care. However, if you've got a lot of administrators and a few lists whose discussions would be worth intercepting or disrupting, you're at high-risk for abuse as a result of this vulnerability. Until the vendor solves this and other issues, you're going to have to have a high level of trust in the people administering your lists, or use a different mailing list server.

Best of luck.


Want to be your own boss? Learn how on Yahoo! Small Business.