Thread-topic: Critical Risk Vulnerability in L-Soft Listserv
> -----Original Message-----
> From: NGSSoftware Insight Security Research
> [mailto:nisr@xxxxxxxxxxxxxxx]
> Sent: Saturday, March 04, 2006 3:57 AM
> To: vulnwatch@xxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Critical Risk Vulnerability in L-Soft Listserv
>
> Peter Winter-Smith of NGSSoftware has discovered a number of
> vulnerabilities
> in L-Soft's LISTSERV list management system. The worst of
> these carries a
> critical risk rating.
>
> Affected versions include:
>
> - LISTSERV version 14.4, including LISTSERV Lite and HPO
> - LISTSERV version 14.3, including LISTSERV Lite and HPO
>
> And possibly all prior versions of LISTSERV which are
> installed with the web
> archive interface, which is currently the default
> installation behaviour.
>
> The vulnerabilities which have been fixed can, in the worst
> of cases, allow
> a remote unauthenticated attacker to execute arbitrary code
> on the system
> hosting the LISTSERV archive web interface.
>
> This issue has been resolved in the latest release of L-Soft LISTSERV
> (version 14.5), which may be downloaded from:
>
>
>
>
> NGSSoftware are going to withhold details of this flaw for
> three months.
> Full details will be published on the 3rd June 2006. This three month
> window will allow users of L-Soft's LISTSERV the time needed
> to apply the
> patch before the details are released to the general public.
> This reflects
> NGSSoftware's approach to responsible disclosure.
>
> NGSSoftware Insight Security Research
>
>
>
> +44(0)208 401 0070
>
>
