Advisory: Lyris ListManager 8.95: Add arbitrary
administrator to arbitrary list
Release Date: 2006-08-30
Application: Lyris ListManager 8.95
Risk: Depends upon your use and business context
Vendor site: http://www.lyris.com/

Overview of Product:
    "Lyris ListManager is the world's most popular
software for creating, sending, and tracking highly
effective email campaigns, newsletters, and
discussion groups."
http://www.lyris.com/products/index.html

Details of this Vulnerability:
    A design flaw in ListManager's web-based
administrative interface allows anyone who is an
administrator of a list on the server to add an
arbitrary user as an administrator to any other list
hosted on the same server.  Specifically, the form
one fills out to add an administrator contains a
hidden form field with the name of the list to which
the administrator will be added.  By changing this
value and submitting the form (using tools like
TamperData for FireFox), you can add an arbitrary
user as an administrator for an arbitrary list.

    Here is a sample of these hidden form fields:

    <!-- START OF - save cgi variables in hidden
fields -->
    <input type="hidden" name="MEMBERS_.AppNeeded_"
value="F">
    <input type="hidden" name="MEMBERS_.CleanAuto_"
value="F">
    <input type="hidden" name="MEMBERS_.DateJoined_"
value="2006-08-30 20:20:32">
    <input type="hidden"
name="MEMBERS_.EnableWYSIWYG_" value="T">
    <input type="hidden" name="MEMBERS_.IsListAdm_"
value="T">
    <input type="hidden" name="MEMBERS_.List_"
value="[INSERT TARGET LIST HERE]">
    <input type="hidden" name="MEMBERS_.MailFormat_"
value="M">
    <input type="hidden" name="MEMBERS_.MemberType_"
value="normal">
    <input type="hidden" name="MEMBERS_.NoRepro_"
value="F">
    <input type="hidden" name="MEMBERS_.NotifySubm_"
value="T">
    <input type="hidden" name="MEMBERS_.NumAppNeed_"
value="0">
    <input type="hidden" name="MEMBERS_.RcvAdmMail_"
value="T">
    <input type="hidden" name="MEMBERS_.ReadsHtml_"
value="F">
    <input type="hidden" name="MEMBERS_.ReceiveAck_"
value="F">
    <input type="hidden" name="MEMBERS_.SubType_"
value="mail">
    <input type="hidden" name="current_tab"
value="Basics">
    <input type="hidden" name="fields_in_memory"
value="FullName_ AppNeeded_ PermissionGroupID_
MemberType_ SubType_ Password_ ExpireDate_ SubType_
CleanAuto_ NoRepro_ UserID_ Comment_ Additional_
ReceiveAck_ NumAppNeed_ List_ DateBounce_
ConfirmDat_ MailFormat_ ReadsHtml_ DateHeld_
DateUnsub_ DateJoined_ UserNameLC_ Domain_
EnableWYSIWYG_ EMAILADDR_ IsListAdm_ RcvAdmMail_
NotifySubm_">
    <input type="hidden" name="table_in_memory"
value="MEMBERS_">

Further Work:
    Yesterday I was trying to add a user whose name
contained a single-quote, e.g. "O'Conner." 
Frequently, as I navigated the web interface, I
received SQL errors that printed a large portion of
the SQL query along with details about what failed. 
I'm sure there's SQL injection possibilities here as
well, I just don't have time to explore.  And where
there are SQL injection opportunities, there's often
opportunities for JavaScript injection.

Recommendations to those using ListManager:
    The risk of this issue to your organization is
directly tied to how many administrators you have on
your mailing list server, how much you can really
trust them, and the value of your mailing lists. 
That is, a company that has five administrators for
a public list shouldn't care.  However, if you've
got a lot of administrators and a few lists whose
discussions would be worth intercepting or
disrupting, you're at high-risk for abuse as a
result of this vulnerability.  Until the vendor
solves this and other issues, you're going to have
to have a high level of trust in the people
administering your lists, or use a different mailing
list server.  
    
Best of luck.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com