*************************************************************************
*************************** SECURITY ADVISORY ***************************
*************************************************************************

A security  exposure has been  discovered and  fixed in the  LISTSERV web
interface (including  LISTSERV Maestro, LISTSERV HPO,  LISTSERV Lite, and
LISTSERV Free Edition).  L-Soft recommends that all  affected users apply
the patch immediately.

------------------------------- ABSTRACT --------------------------------
PRODUCTS AFFECTED:

- LISTSERV version 14.3 (confirmed), including LISTSERV Lite and HPO.

- LISTSERV version 1.8e (confirmed), including LISTSERV Lite and HPO.

- LISTSERV version 1.8d (inferred), including LISTSERV Lite and HPO.

- Older versions are not believed to be affected.

- LISTSERV Free  Edition is LISTSERV  Lite with special  licensing terms.
  What applies to LISTSERV Lite in this advisory applies also to LISTSERV
  Free Edition.

- Support  for version  1.8e  (released May  22,  2002) was  discontinued
  December 31, 2004. No patches are available for version 1.8e or older.

OPERATING SYSTEMS AFFECTED:

- Windows, unix (all vendors), OpenVMS AXP (confirmed).

- VM sites are not affected.

EXCEPTIONS/SPECIAL NOTES:

- Customers not using the LISTSERV web interface are not vulnerable.

- The LISTSERV Maestro web interface is not vulnerable; however, LISTSERV
  Maestro installations typically host both LISTSERV and LISTSERV Maestro
  web interfaces, and in such cases they are vulnerable.

- The 10 January 2005 and later  builds of LISTSERV version 14.3 are less
  vulnerable, but L-Soft recommends that they be upgraded anyway.

- LISTSERV version 14.4 (beta) is not vulnerable.

EXPOSURE:

On a correctly configured LISTSERV  installation running the LISTSERV web
interface  with normal  CGI privileges,  intruders  may be  able to  gain
non-privileged access to the system on  which the web interface script is
running. The  executable in  question is called  'WA.EXE' on  Windows and
VMS, and  'wa' on unix.  In the remainder  of this advisory,  this script
will be called "WA" regardless of operating system.

The  exposure  may  be more  severe  if  WA  is  configured to  run  with
privileges beyond  those recommended  by L-Soft or,  for Windows,  if the
system partition is using the FAT or FAT32 file system.

SOLUTION:

- Apply 2005a level set.

OR:

- Update just WA from 2005a level set.

The vulnerability cannot be circumvented, other than by disabling the web
interface altogether.

RISK RATING: HIGH

- Date of first reported exploit: May 20, 2005.

- Exploit widely known within hacker community since: no known incident.

INCIDENT CHRONOLOGY:

2005-05-20 Initial report to L-Soft support
2005-05-20 More information requested
2005-05-21 Detailed information received
2005-05-21 Internal escalation
2005-05-22 Problem not reproduced
2005-05-23 Problem reproduced
2005-05-23 Emergency correction initiated
2005-05-24 Patch A1 ready
2005-05-24 A1 delivered to reporting site
2005-05-24 A1 passed standard internal tests, ready for deployment
2005-05-24 2005a kit generation starting
2005-05-24 2005a kits ready for deployment
2005-05-25 Reporting site confirms A1 removes exposure
2005-05-25 2005a deployed
2005-05-25 Security Advisory distributed to Maintenance customers
2005-05-25 Security Advisory distributed to LSTSRV-L
2005-05-25 Security Advisory distributed to LISTSERV-Developers
2005-05-25 Security Advisory distributed to LISTSERV-Lite
2005-05-25 Security Advisory distributed to Updates-LISTSERV

---------------------------- END OF ABSTRACT ----------------------------

THE 2005a LEVEL SET
-------------------

The only change in the 2005a level set is an updated WA executable.

There is no  user-visible change or new functionality  after applying the
2005a level set.

L-Soft  intends to  deliver new  functionality to  customers through  the
upcoming  14.4 release,  which is  currently in  beta. Future  14.3 level
sets, if any, are not expected to include any new functionality.

APPLYING THE 2005a LEVEL SET
----------------------------

This level set can be installed as a normal level set upgrade, which will
require that  LISTSERV be stopped during  the upgrade, or you  can opt to
extract the updated WA executable from the kit and replace it on the fly,
which is less disruptive, but also more complicated. If in doubt, perform
a normal upgrade.

If you perform an  on-the-fly upgrade, you will have to  update WA in two
locations: your web server's CGI  directory, and LISTSERV's own directory
tree. If you do not update the CGI directory, the patch is not active. If
you do not update the copy of  WA in the LISTSERV directory and later use
one  of the  L-Soft setup/installation  tools to  move your  LISTSERV web
directory,  the tool  may copy  the unpatched  version of  WA to  the new
location and re-introduce the vulnerability.

Regardless of which  method you choose, be sure to  verify that the patch
is online by loading the following URL:

- Windows, VMS: http://.../wa.exe?DEBUG-SHOW-VERSION

- unix: http://.../wa?DEBUG-SHOW-VERSION

The compilation date should read 24 May 2005 or later.

DOWNLOADING THE 2005a LEVEL SET
-------------------------------

To download the 2005a level set, go  to L-Soft's web site and download an
evaluation copy  of LISTSERV  Lite if  this is what  you are  running, or
LISTSERV Classic  in all other  cases (Classic, HPO, Maestro,  etc). This
evaluation kit will upgrade your  existing LISTSERV installation. It will
NOT turn it into an evaluation version.

The kits can be found at:

http://www.lsoft.com/download/listserv.asp

http://www.lsoft.com/download/listservlite.asp

MacOS beta sites will instead find the  level set at the same location as
the original beta installation kits.

ACKNOWLEDGEMENTS
----------------

L-Soft would like to thank Peter Winter-Smith of Next Generation Security
Software (www.ngssoftware.com)  for reporting this problem  and providing
information and assistance well past regular business hours.