Versions 3 and 4 of the Lyris List Manager allow any mailing list subscriber to gain access to the administrative interface of that list by changing a form before submitting it. Fix available here.
2f0b0f3203076a0c3be1376c0bf6a444c51fef60e897a936f0aedc04872cfb91Versions 3 and 4 of the Lyris List Manager allow any mailing list
subscriber to gain access to the administrative interface of that list.
After a user has logged in, they may modify the generated web page as
follows to gain access:
Save the html to disk, and add the full path to the server into the FORM
tag. This allows it to be submitted when loaded from disk. Next change
the value of=20
<INPUT TYPE=3D"hidden" NAME=3D"list_admin" VALUE=3D"F">
to a "T". When the page is loaded back in the browser the user has
complete access to all list administrator functions. =20
Lyris has been notified, and a fix is available at
http://www.lyris.com/lm/lm_updates.html
-Adam
Note: I am not a representative of Lyris
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed