[Mailman-Developers] Re: [Mailman-Users] security heads up - path traversal with 2.1.5

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Wed Feb 9 23:00:08 CET 2005


Hi,

Ron Brogden wrote:
> Hey folks.  I haven't see an official post here yet but as this has already 
> gone out on at least one full-disclosure list I thought it worth mentioning 
> since this will be an actively exploited 0 day:
> 
> http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html

Barry and I are notified on this subject but both are busy on their job 
so he requested for delay in the disclosure.
> 
> Basically, there is a path traversal issue with mailman 2.1.5 which will let 
> you access any file that the Mailman user has read access to (at least under 
> Apache 1.3, can't speak for other web servers).  I have tested this on a 
> personal box and it does indeed work as advertised.

I've tested with my 1.3.29 installation and verified apache PATH_INFO 
does convert '//' to '/'. Barry also wanted to clarify which apache 
version/installation (combination with mailman) is valnerable. Return 
code of 200 doesn't mean sucessful exploit. You should check mailman 
logs/error also. (If there is none chances are succesful exploit.)
> 
> One temporary workaround is to stop access to "/mailman/private" via your web 
> server configuration.  I would wait for a formal patch notice from the 
> developers before patching the actual Mailman code.

Also newly introduced script bin/reset_pw.py may be useful if your list 
has been really exploited. (It should be veiwable from SourceForge CVS 
but it looks like currently in trouble.)


-- 
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/



More information about the Mailman-Developers mailing list