Arbitrary Command Execution via Line Wrap in Lyris ListManager Web Interface

Arbitrary Command Execution via Line Wrap in Lyris ListManager Web Interface

CVE-2005-4142 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

The web interface for subscribing new users in Lyris ListManager 5.0 through 8.8b, in combination with a line wrap feature, allows remote attackers to execute arbitrary list administration commands via LFCR (%0A%0D) sequences in the pw parameter. NOTE: it is not clear whether this is a variant of a CRLF injection vulnerability.

Learn more about our Web App Pen Testing.