Vulnerabilities > CVE-2005-4148 - Information Disclosure vulnerability in Lyris ListManager Hidden Variable
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Lyris ListManager 8.5, and possibly other versions before 8.8, includes sensitive information in the env hidden variable, which allows remote attackers to obtain information such as the installation path by requesting a non-existent page and reading the env variable from the resulting error message page.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family CGI abuses NASL id LISTMANAGER_ERRORMSG_INFO_DISCLOSURE.NASL description The remote host appears to be running ListManager, a web-based commercial mailing list management application from Lyris. In response to a request for a nonexistent page, the version of ListManager on the remote host returns sensitive information such as the installation path and software version as well as possibly SQL queries, code blocks, or the entire CGI environment. last seen 2020-06-01 modified 2020-06-02 plugin id 20295 published 2005-12-12 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20295 title ListManager Error Message Information Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20295); script_version("1.26"); script_cve_id("CVE-2005-4148", "CVE-2005-4149"); script_bugtraq_id(15789); script_name(english:"ListManager Error Message Information Disclosure"); script_summary(english:"Checks for error message information disclosure vulnerability in ListManager"); script_set_attribute(attribute:"synopsis", value: "The remote web server is vulnerable to an information disclosure attack." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running ListManager, a web-based commercial mailing list management application from Lyris. In response to a request for a nonexistent page, the version of ListManager on the remote host returns sensitive information such as the installation path and software version as well as possibly SQL queries, code blocks, or the entire CGI environment." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/374" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:U/RC:X"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/12"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/08"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); # Make sure it's ListManager, unless we're being paranoid. banner = get_http_banner(port:port); if ( report_paranoia < 2 && banner && ( # later versions of ListManager "ListManagerWeb/" >!< banner && # earlier versions (eg, 8.5) "Server: Tcl-Webserver" >!< banner ) ) exit(0, "ListManager is not running on port "+port); # Try to exploit the flaw. url = "/read/rss?forum=" + SCRIPT_NAME; w = http_send_recv3(method:"GET", item:url, port:port); if (isnull(w)) exit(1, "The web server on port "+port+" did not answer"); res = w[2]; # There's a problem if we see a bug report form. if (egrep(pattern:'<INPUT TYPE="HIDDEN" NAME="(currentdir|env|version)', string:res)) { report = '\n' + 'Nessus was able to uncover some information using the following URL :\n' + '\n' + " " + build_url(port:port, qs:url) + '\n'; info = ""; foreach litem (make_list("currentdir", "env", "version")) { leadin = '<INPUT TYPE="HIDDEN" NAME="' + litem + '" VALUE="'; if (leadin >< res) { val = strstr(res, leadin) - leadin; val = val - strstr(val, '">'); info += ' ' + litem + ' : ' + val + '\n'; } } report += '\n' + 'Here is the information extracted :\n' + '\n' + info; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0); }NASL family CGI abuses NASL id LISTMANAGER_89B.NASL description The remote host appears to be running ListManager, a web-based commercial mailing list management application from Lyris. The version of ListManager installed on the remote host is affected by a number of input validation flaws. An unauthenticated attacker may be able to exploit these issues to launch SQL injection attacks against the backend database, view the source of any last seen 2020-06-01 modified 2020-06-02 plugin id 20294 published 2005-12-12 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20294 title ListManager < 8.9b Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20294); script_version("1.17"); script_cve_id("CVE-2005-4143", "CVE-2005-4144", "CVE-2005-4146", "CVE-2005-4147", "CVE-2005-4148"); script_bugtraq_id(15787, 15788); script_name(english:"ListManager < 8.9b Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in ListManager < 8.9b"); script_set_attribute(attribute:"synopsis", value: "The remote web server is vulnerable to multiple flaws." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running ListManager, a web-based commercial mailing list management application from Lyris. The version of ListManager installed on the remote host is affected by a number of input validation flaws. An unauthenticated attacker may be able to exploit these issues to launch SQL injection attacks against the backend database, view the source of any 'tml' script available to the application, bypass authentication, or obtain information about the server configuration." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e252a917" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/374" ); script_set_attribute(attribute:"solution", value: "Upgrade to ListManager 8.9b or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/12"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/08"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); # Do a banner check. banner = get_http_banner(port:port); if ( banner && ( # later versions of ListManager. egrep(pattern:"ListManagerWeb/([0-7]\.|8\.([0-8][^0-9]|9a))", string:banner) || # earlier versions (eg, 8.5) ( "Server: Tcl-Webserver" >< banner && 'Www-Authenticate: Basic realm="Lyris ListManager' >< banner ) ) ) { security_hole(port); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); }
References
- http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0349.html
- http://metasploit.com/research/vulns/lyris_listmanager/
- http://secunia.com/advisories/17943
- http://www.osvdb.org/21552
- http://www.securityfocus.com/archive/1/419077/100/0/threaded
- http://www.securityfocus.com/bid/15789
- http://www.vupen.com/english/advisories/2005/2820