Several buffer overflow vulnerabilities have been discovered in LISTSERV. These vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.
L-Soft's LISTSERV is an email list management software package. It includes a Web Archive and Administration (WA) interface that allows users to browse and search list archives, and list owners and site maintainers to perform a number of management tasks. Several buffer overflow errors were discovered in the WA CGI component. These vulnerabilities are reported to affect LISTSERV versions 14.3 and 14.4, including LISTSERV Lite and HPO on all supported platforms. The specific nature of the underlying vulnerabilities is unknown at this time, however the reporter has stated that additional technical details will be publicly released on 2006-06-03.
A remote attacker may be able to execute code of their choosing with the permissions of the WA CGI program.
L-Soft has released version 14.5 of LISTSERV and LISTSERV Lite that contains a fix for these vulnerabilities. For more information please see the "WA Security Alert" featured in the software release notes. Users of these products are strongly urged to upgrade to this fixed version of the software.
Peter Winter-Smith of Next Generation Security Software Research reported this vulnerability.
This document was written by Chad R Dougherty.
|Date First Published:||2006-03-09|
|Date Last Updated:||2006-03-09 16:44 UTC|