search menu icon-carat-right cmu-wordmark

CERT Coordination Center

LISTSERV contains multiple buffer overflow vulnerabilities in the WA CGI script

Vulnerability Note VU#841132

Original Release Date: 2006-03-09 | Last Revised: 2006-03-09

Overview

Several buffer overflow vulnerabilities have been discovered in LISTSERV. These vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.

Description

L-Soft's LISTSERV is an email list management software package. It includes a Web Archive and Administration (WA) interface that allows users to browse and search list archives, and list owners and site maintainers to perform a number of management tasks. Several buffer overflow errors were discovered in the WA CGI component. These vulnerabilities are reported to affect LISTSERV versions 14.3 and 14.4, including LISTSERV Lite and HPO on all supported platforms. The specific nature of the underlying vulnerabilities is unknown at this time, however the reporter has stated that additional technical details will be publicly released on 2006-06-03.

Impact

A remote attacker may be able to execute code of their choosing with the permissions of the WA CGI program.

Solution

Upgrade

L-Soft has released version 14.5 of LISTSERV and LISTSERV Lite that contains a fix for these vulnerabilities. For more information please see the "WA Security Alert" featured in the software release notes. Users of these products are strongly urged to upgrade to this fixed version of the software.

Vendor Information

No information available at this time.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Peter Winter-Smith of Next Generation Security Software Research reported this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2006-1044
Severity Metric: 18.28
Date Public: 2006-03-03
Date First Published: 2006-03-09
Date Last Updated: 2006-03-09 16:44 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.