Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list

[Design Properly <designsoftwareproperly () yahoo com>]

Advisory: Lyris ListManager 8.95: Add arbitrary administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
    "Lyris ListManager is the world's most popular software for creating, sending, and tracking highly effective email 
campaigns, newsletters, and discussion groups." http://www.lyris.com/products/index.html

Details of this Vulnerability:
    A design flaw in ListManager's web-based administrative interface allows anyone who is an administrator of a list 
on the server to add an arbitrary user as an administrator to any other list hosted on the same server.  Specifically, 
the form one fills out to add an administrator contains a hidden form field with the name of the list to which the 
administrator will be added.  By changing this value and submitting the form (using tools like TamperData for FireFox), 
you can add an arbitrary user as an administrator for an arbitrary list.

    Here is a sample of these hidden form fields:

    <!-- START OF - save cgi variables in hidden fields -->
    <input type="hidden" name="MEMBERS_.AppNeeded_" value="F">
    <input type="hidden" name="MEMBERS_.CleanAuto_" value="F">
    <input type="hidden" name="MEMBERS_.DateJoined_" value="2006-08-30 20:20:32">
    <input type="hidden" name="MEMBERS_.EnableWYSIWYG_" value="T">
    <input type="hidden" name="MEMBERS_.IsListAdm_" value="T">
    <input type="hidden" name="MEMBERS_.List_" value="[INSERT TARGET LIST HERE]">
    <input type="hidden" name="MEMBERS_.MailFormat_" value="M">
    <input type="hidden" name="MEMBERS_.MemberType_" value="normal">
    <input type="hidden" name="MEMBERS_.NoRepro_" value="F">
    <input type="hidden" name="MEMBERS_.NotifySubm_" value="T">
    <input type="hidden" name="MEMBERS_.NumAppNeed_" value="0">
    <input type="hidden" name="MEMBERS_.RcvAdmMail_" value="T">
    <input type="hidden" name="MEMBERS_.ReadsHtml_" value="F">
    <input type="hidden" name="MEMBERS_.ReceiveAck_" value="F">
    <input type="hidden" name="MEMBERS_.SubType_" value="mail">
    <input type="hidden" name="current_tab" value="Basics">
    <input type="hidden" name="fields_in_memory" value="FullName_ AppNeeded_ PermissionGroupID_ MemberType_ SubType_ 
Password_ ExpireDate_ SubType_ CleanAuto_ NoRepro_ UserID_ Comment_ Additional_ ReceiveAck_ NumAppNeed_ List_ 
DateBounce_ ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_ DateUnsub_ DateJoined_ UserNameLC_ Domain_ EnableWYSIWYG_ 
EMAILADDR_ IsListAdm_ RcvAdmMail_ NotifySubm_">
    <input type="hidden" name="table_in_memory" value="MEMBERS_">

Further Work:
    Yesterday I was trying to add a user whose name contained a single-quote, e.g. "O'Conner."  Frequently, as I 
navigated the web interface, I received SQL errors that printed a large portion of the SQL query along with details 
about what failed.  I'm sure there's SQL injection possibilities here as well, I just don't have time to explore.  And 
where there are SQL injection opportunities, there's often opportunities for JavaScript injection.

Recommendations to those using ListManager:
    The risk of this issue to your organization is directly tied to how many administrators you have on your mailing 
list server, how much you can really trust them, and the value of your mailing lists.  That is, a company that has five 
administrators for a public list shouldn't care.  However, if you've got a lot of administrators and a few lists whose 
discussions would be worth intercepting or disrupting, you're at high-risk for abuse as a result of this vulnerability. 
 Until the vendor solves this and other issues, you're going to have to have a high level of trust in the people 
administering your lists, or use a different mailing list server.  
    
Best of luck.

                                
---------------------------------
Want to be your own boss? Learn how on  Yahoo! Small Business.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/