Vulnerabilities > CVE-2005-4146 - Information Disclosure vulnerability in Lyris Listmanager TCLHTTPd Service

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
lyris-technologies-inc
nessus
NVD
Published: 2005-12-10
Updated: 2018-10-19

Summary

Lyris ListManager before 8.9b allows remote attackers to obtain sensitive information via a request to the TCLHTTPd status module, which provides sensitive server configuration information.

Vulnerable Configurations

Part Description Count
Application
Lyris_Technologies_Inc
5

Nessus

NASL familyCGI abuses
NASL idLISTMANAGER_89B.NASL
descriptionThe remote host appears to be running ListManager, a web-based commercial mailing list management application from Lyris. The version of ListManager installed on the remote host is affected by a number of input validation flaws. An unauthenticated attacker may be able to exploit these issues to launch SQL injection attacks against the backend database, view the source of any
last seen2020-06-01
modified2020-06-02
plugin id20294
published2005-12-12
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20294
titleListManager < 8.9b Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20294);
  script_version("1.17");

  script_cve_id("CVE-2005-4143", "CVE-2005-4144", "CVE-2005-4146", "CVE-2005-4147", "CVE-2005-4148");
  script_bugtraq_id(15787, 15788);

  script_name(english:"ListManager < 8.9b Multiple Vulnerabilities");
  script_summary(english:"Checks for multiple vulnerabilities in ListManager < 8.9b");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to multiple flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host appears to be running ListManager, a web-based
commercial mailing list management application from Lyris. 

The version of ListManager installed on the remote host is affected by
a number of input validation flaws.  An unauthenticated attacker may
be able to exploit these issues to launch SQL injection attacks
against the backend database, view the source of any 'tml' script
available to the application, bypass authentication, or obtain
information about the server configuration." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e252a917" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/374" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to ListManager 8.9b or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/08");
 script_cvs_date("Date: 2018/11/15 20:50:17");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
 
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

# Do a banner check.
banner = get_http_banner(port:port);
if (
  banner && 
  (
    # later versions of ListManager.
    egrep(pattern:"ListManagerWeb/([0-7]\.|8\.([0-8][^0-9]|9a))", string:banner) ||
    # earlier versions (eg, 8.5)
    (
      "Server: Tcl-Webserver" >< banner &&
      'Www-Authenticate: Basic realm="Lyris ListManager' >< banner
    )
  )
) {
 security_hole(port);
 set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
}

References