COMMAND

    Lyris Listserver

SYSTEMS AFFECTED

    Lyris Listserver

PROBLEM

    Jimmy Lee  Alderson posted  following which  is associated  with a
    another founding (John ?).  The original post vaguely describes  a
    security problem  inherent in  a popular  server.   Jimmy recently
    found  this  problem  too.   The  web  interface  for  the   Lyris
    listserver  is  a  perl  based  script  located  in  the /cgi-bin/
    directory on  a web  server by  default.   This server  contains a
    vulnerability that  allows access  at any  of the  three levels of
    admin that Lyris allows:

        List Admin:   Manages a particular list on a server
        Site Admin:   Manages a the entire group of lists
        Server Admin: Manages the entire server

    Server admin  is the  most interesting  because it  allows you  to
    specify a command that should be executed either prior to or after
    processing mail  sent to  the listserver.   This allows  a  remote
    attacker to execute arbitrary commands on the remote system as the
    user the list server is running as.

SOLUTION

    Lyris made  a patch  fix available  which could  be applied to the
    2.54 and beta 2.548 release versions.  Also, v3.0 beta version  of
    Lyris has the bug fix (and release version too). It is recommended
    that any site  running any version  of Lyris upgrade  to this v3.0
    release.  There is no  charge to upgrade, and the  upgrade program
    will preserve all current settings.  Lyris v3.0 can be  downloaded
    from here:

        http://www.lyris.com/down/