[16226] in bugtraq
Lyris List Manager Administration Hole
daemon@ATHENA.MIT.EDU (Adam Hupp)
Mon Aug 14 14:41:27 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline
Message-Id: <20000811224307.A1735@upl.cs.wisc.edu>
Date: Fri, 11 Aug 2000 22:43:07 -0500
Reply-To: Adam Hupp <hupp@UPL.CS.WISC.EDU>
From: Adam Hupp <hupp@UPL.CS.WISC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Versions 3 and 4 of the Lyris List Manager allow any mailing list
subscriber to gain access to the administrative interface of that list.
After a user has logged in, they may modify the generated web page as
follows to gain access:
Save the html to disk, and add the full path to the server into the FORM
tag. This allows it to be submitted when loaded from disk. Next change
the value of=20
<INPUT TYPE=3D"hidden" NAME=3D"list_admin" VALUE=3D"F">
to a "T". When the page is loaded back in the browser the user has
complete access to all list administrator functions. =20
Lyris has been notified, and a fix is available at
http://www.lyris.com/lm/lm_updates.html
-Adam
Note: I am not a representative of Lyris
--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5lMfKafi0N3EDCG8RAhFpAJ4yyxR2+cfgrchBnHDHUNw4odOKtACfbE5j
B86Pw/KdDs0FusnJuEobLF4=
=UWCN
-----END PGP SIGNATURE-----
--Kj7319i9nmIyA2yE--
