Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list

from [Design Properly] Network Security [Permanent Link]
Subject: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Date: Wed, 30 Aug 2006 21:25:44 -0700 (PDT) 
Advisory: Lyris ListManager 8.95: Add arbitrary
administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
    "Lyris ListManager is the world's most popular
software for creating, sending, and tracking highly
effective email campaigns, newsletters, and
discussion groups."
http://www.lyris.com/products/index.html

Details of this Vulnerability:
    A design flaw in ListManager's web-based
administrative interface allows anyone who is an
administrator of a list on the server to add an
arbitrary user as an administrator to any other list
hosted on the same server.  Specifically, the form
one fills out to add an administrator contains a
hidden form field with the name of the list to which
the administrator will be added.  By changing this
value and submitting the form (using tools like
TamperData for FireFox), you can add an arbitrary
user as an administrator for an arbitrary list.

    Here is a sample of these hidden form fields:

    <!-- START OF - save cgi variables in hidden
fields -->
    <input type="hidden" name="MEMBERS_.AppNeeded_"
value="F">
    <input type="hidden" name="MEMBERS_.CleanAuto_"
value="F">
    <input type="hidden" name="MEMBERS_.DateJoined_"
value="2006-08-30 20:20:32">
    <input type="hidden"
name="MEMBERS_.EnableWYSIWYG_" value="T">
    <input type="hidden" name="MEMBERS_.IsListAdm_"
value="T">
    <input type="hidden" name="MEMBERS_.List_"
value="[INSERT TARGET LIST HERE]">
    <input type="hidden" name="MEMBERS_.MailFormat_"
value="M">
    <input type="hidden" name="MEMBERS_.MemberType_"
value="normal">
    <input type="hidden" name="MEMBERS_.NoRepro_"
value="F">
    <input type="hidden" name="MEMBERS_.NotifySubm_"
value="T">
    <input type="hidden" name="MEMBERS_.NumAppNeed_"
value="0">
    <input type="hidden" name="MEMBERS_.RcvAdmMail_"
value="T">
    <input type="hidden" name="MEMBERS_.ReadsHtml_"
value="F">
    <input type="hidden" name="MEMBERS_.ReceiveAck_"
value="F">
    <input type="hidden" name="MEMBERS_.SubType_"
value="mail">
    <input type="hidden" name="current_tab"
value="Basics">
    <input type="hidden" name="fields_in_memory"
value="FullName_ AppNeeded_ PermissionGroupID_
MemberType_ SubType_ Password_ ExpireDate_ SubType_
CleanAuto_ NoRepro_ UserID_ Comment_ Additional_
ReceiveAck_ NumAppNeed_ List_ DateBounce_
ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_
DateUnsub_ DateJoined_ UserNameLC_ Domain_
EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_
NotifySubm_">
    <input type="hidden" name="table_in_memory"
value="MEMBERS_">

Further Work:
    Yesterday I was trying to add a user whose name
contained a single-quote, e.g. "O'Conner." 
Frequently, as I navigated the web interface, I
received SQL errors that printed a large portion of
the SQL query along with details about what failed. 
I'm sure there's SQL injection possibilities here as
well, I just don't have time to explore.  And where
there are SQL injection opportunities, there's often
opportunities for JavaScript injection.

Recommendations to those using ListManager:
    The risk of this issue to your organization is
directly tied to how many administrators you have on
your mailing list server, how much you can really
trust them, and the value of your mailing lists. 
That is, a company that has five administrators for
a public list shouldn't care.  However, if you've
got a lot of administrators and a few lists whose
discussions would be worth intercepting or
disrupting, you're at high-risk for abuse as a
result of this vulnerability.  Until the vendor
solves this and other issues, you're going to have
to have a high level of trust in the people
administering your lists, or use a different mailing
list server.  
    
Best of luck.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list, Design Properly <=
Previous by Date:  [ MDKSA-2006:156 ] - Updated sendmail packages fix DoS vulnerabilities, security
Next by Date:  Membrepass v1.5 Php code execution, Xss, Sql Injection, gmdarkfig
Previous by Thread:  [ MDKSA-2006:156 ] - Updated sendmail packages fix DoS vulnerabilities, security
Next by Thread:  Membrepass v1.5 Php code execution, Xss, Sql Injection, gmdarkfig
Indexes:  [Date] [Thread] [Top] [All Lists]