Multiple vulnerabilities were identified in Lyris ListManager, which could be exploited by remote attackers to gain unauthorized access, disclose sensitive information and conduct SQL injection attacks.
The first issue is due to an input validation error in the web interface that does not properly validate the "pw" parameter when subscribing a new user ("subscribe/subscribe"), which could be exploited by remote attackers to execute arbitrary list administration commands.
The second flaw is due to an input validation error in the "/read/attachment" script, which may be exploited by malicious people to conduct SQL injection attacks.
The third vulnerability is due to input validation errors in various scripts that do not properly validate certain parameters before being passed to the "ORDER BY" command, which may be exploited by malicious people to conduct SQL injection attacks.
The fourth flaw is due to a design error where the embedded MSDE version is accessible via a weak password ("lyris" string followed by a 1 to 5 digit number), which could be exploited by remote attackers to mount brute force attacks and guess the password.
The fifth vulnerability resides in the "status" module of the TCLHTTPd service, which could be exploited by attackers to gain knowledge of sensitive information.
The sixth issue is due to an error in TCLHTTPd service when processing HTTP requests containing specially crafted characters, which may be exploited by attackers to display the source code of arbitrary pages instead of an expected HTML response.
The seventh flaw is due to an error where the entire CGI environment is placed into a hidden HTML variable ("env") of the error page when a non-existent page is requested, which could be exploited by remote attackers to gain knowledge of sensitive information (e.g. software version).
Credits
Vulnerabilities reported by H D Moore
ChangeLog
2005-12-09 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
