Date: Sun, 20 Sep 1998 01:40:16 -0400 From: Jimmy Lee Alderson Subject: Vulnerability in Lyris Listserver The following is associated with a post to NTbugtraq. The original post vaguely describes a security problem inherent in a popular server. I recently found this problem on my own, and was going to post. But since it has already been posted I have decided to post it to bugtraq, with some value added. I have included the original afer my signature. The web interface for the Lyris listserver is a perl based script located in the /cgi-bin/ directory on a web server by default. This server contains a vulnerability that allows access at any of the three levels of admin that Lyris allows. List Admin: Manages a particular list on a server. Site Admin: Manages a the entire group of lists. Server Admin: Manages the entire server. Server admin is the most interesting because it allows you to specify a command that should be executed either prior to or after processing mail sent to the listserver. This allows a remote attacker to execute arbitrary commands on the remote system as the user the list server is running as. (See the original post below for the fix information) Jimmy Alderson -------original post below------------- Hello all: I've been trading email with list-manager Russ, and he suggested I post a message to this list. A few weeks ago, we (the makers of the Lyris List Server) were informed by one of our users of a potential security vulnerability in the web interface of our program. While we haven't had any reports of the vulnerability being exploited at any of our customer's sites, we did replicate the problem and confirm that the vulnerability existed. At the time, we made a patch fix available which could be applied to the current (2.54) and beta (2.548) release versions. Then, we released a v3.0 beta version of Lyris, which had the bug fix. A few days ago, we released Lyris v3.0 out of beta, as a release version. This v3.0 release has the fix for the security vulnerability, as well as other things as part of the new version. We're recommending that any site running any version of Lyris upgrade to this v3.0 release. There is no charge to upgrade, and the upgrade program will preserve all current settings. Lyris v3.0 can be downloaded from here: http://www.lyris.com/down/ If you don't know what Lyris List Server is, you may be interested in this 3rd party review on Forrest Stroud's "ServerWatch" web site: http://serverwatch.internet.com/listreview-lyris.html Obviously, we've announced these security concerns, and the fixes, to all our existing user base. In my email exchange with Russ, he felt that the NTBugTraq list would benefit from knowing about this update, and that's the reason I'm posting this message. John