[Mailman-Users] security heads up - path traversal with 2.1.5
Tokio Kikuchi
tkikuchi at is.kochi-u.ac.jp
Wed Feb 9 23:00:08 CET 2005
Hi,
Ron Brogden wrote:
> Hey folks. I haven't see an official post here yet but as this has already
> gone out on at least one full-disclosure list I thought it worth mentioning
> since this will be an actively exploited 0 day:
>
> http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
Barry and I are notified on this subject but both are busy on their job
so he requested for delay in the disclosure.
>
> Basically, there is a path traversal issue with mailman 2.1.5 which will let
> you access any file that the Mailman user has read access to (at least under
> Apache 1.3, can't speak for other web servers). I have tested this on a
> personal box and it does indeed work as advertised.
I've tested with my 1.3.29 installation and verified apache PATH_INFO
does convert '//' to '/'. Barry also wanted to clarify which apache
version/installation (combination with mailman) is valnerable. Return
code of 200 doesn't mean sucessful exploit. You should check mailman
logs/error also. (If there is none chances are succesful exploit.)
>
> One temporary workaround is to stop access to "/mailman/private" via your web
> server configuration. I would wait for a formal patch notice from the
> developers before patching the actual Mailman code.
Also newly introduced script bin/reset_pw.py may be useful if your list
has been really exploited. (It should be veiwable from SourceForge CVS
but it looks like currently in trouble.)
--
Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
http://weather.is.kochi-u.ac.jp/
More information about the Mailman-Users
mailing list