Date:         Sun, 20 Sep 1998 01:40:16 -0400
From:         Jimmy Lee Alderson <blue0ne@IGLOO.ORG>
Subject:      Vulnerability in Lyris Listserver

The following is associated with a  post to NTbugtraq.  The original post
vaguely describes a security problem inherent in a popular server.  I
recently found this problem on my own, and was going to post. But since it
has already been posted I have decided to post it to bugtraq, with some
value added.  I have included the original afer my signature.

The web interface for the Lyris listserver is a perl based script located in
the /cgi-bin/ directory on a web server by default.  This server contains a
vulnerability that allows access at any of the three levels of admin that
Lyris allows.


List Admin: Manages a particular list on a server.

Site Admin: Manages a the entire group of lists.

Server Admin: Manages the entire server.

Server admin is the most interesting because it allows you to specify a
command that should be executed either prior to or after processing mail
sent to the listserver.  This allows a remote attacker to execute arbitrary
commands on the remote system as the user the list server is running as.


(See the original post below for the fix information)


Jimmy Alderson


 -------original post below-------------


 Hello all: I've been trading email with list-manager Russ, and he
 suggested I post a message to this list.

 A few weeks ago, we (the makers of the Lyris List Server) were informed
 by one of our users of a potential security vulnerability in the web
 interface of our program. While we haven't had any reports of the
 vulnerability being exploited at any of our customer's sites, we did
 replicate the problem and confirm that the vulnerability existed.

 At the time, we made a patch fix available which could be applied to the
 current (2.54) and beta (2.548) release versions.  Then, we released a
 v3.0 beta version of Lyris, which had the bug fix.

 A few days ago, we released Lyris v3.0 out of beta, as a release version.
 This v3.0 release has the fix for the security vulnerability, as well as
 other things as part of the new version.

 We're recommending that any site running any version of Lyris upgrade to
 this v3.0 release. There is no charge to upgrade, and the upgrade program
 will preserve all current settings.

 Lyris v3.0 can be downloaded from here: http://www.lyris.com/down/

 If you don't know what Lyris List Server is, you may be interested in
 this 3rd party review on Forrest Stroud's "ServerWatch" web site:
 http://serverwatch.internet.com/listreview-lyris.html

 Obviously, we've announced these security concerns, and the fixes, to all
 our existing user base.  In my email exchange with Russ, he felt that the
 NTBugTraq list would benefit from knowing about this update, and that's
 the reason I'm posting this message.

 John