[Mailman-Users] security heads up - path traversal with 2.1.5

[John Dennis]

Well, as long as the cat is out of the bag, here is some info that might be
helpful to folks. I was told the security alert was made public this
afternoon so not much is being compromised by helping folks address the
issue given its new found visibility :-( Red Hat has patched all of its
Mailman rpm's which are in the process of getting pushed out through our
distribution channels. Here are the package versions for each distribution:

AS2.1: mailman-2.0.13-7
FC2: mailman-2.1.5-8.fc2
FC3: mailman-2.1.5-30.fc3
FC4: mailman-2.1.5-30.fc4
RHEL3: mailman-2.1.5-24.rhel3
RHEL4: not yet released.

The good news is that the exploit is only possible when mailman is combined
with a version of the Apache Web server (httpd) less than version 2.0 (e.g.
1.3)

I am not going describe in this forum how the exploit occurs for obvious
reasons. It has been reproduced on a number of systems. It is a serious
exploit that can give attackers access to most of the file system. If you
are running Apache < 2.0 you will want to patch your mailman code -OR-
upgrade to Apache >= 2.0.

If you are running Apache >= 2.0 breath a sigh of relief, you are not
vulnerable.

BTW, I do not believe this is limited to mailman 2.1.5, it is present in
earlier mailman versions (or at least from code inspection it seems to be)

Here are two proposed fixes, either should work:

The implementation of the function true_path in Mailman/Cgi/private.py needs
to be changed:

import re
def true_path(path):
    "Ensure that the path is safe by removing .."
    path = re.sub('\.+/+', '', path)
    return path[1:]

-OR-

SLASH = '/'
def true_path4(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]

--
John Dennis <jdennis at redhat.com>