[Mailman-Users] message about probes

[Mark Sapiro]

Stephen J. Turnbull wrote:

>Mark Sapiro writes:
> > Gruver, Sandi wrote:
>
> > >!!!! 2 possible successful probes
> > > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
> > 
[...]

> > if you look in Mailman's error log, you'll see entries like 'No
> > such list "includes":' and 'No such list "sqlhelp":' corresponding
> > to these because the Mailman CGI's protect against these attacks.
>
>Mark, do you understand what the attacker is trying to exploit here?
>It's not at all obvious to me.  Since /mailman/ is a scriptalias, and
>those are both actual scripts, it's mailman/private and mailman/admin
>that are going to be interpreting everything after the script name.
>The next segment of the path is the listname, and anything after that
>is either garbage or a query about the list, so I can't see an attempt
>to exploit mailman here, despite the fact that they're specifically
>invoking mailman CGIs.  Am I missing something?


I think they are shotgunning trying to find a session.php that
presumably is vulnerable to the rest of the attack. I saw other URIs
at the same time that didn't reference mailman CGIs and got 404 status.


>Do any webservers convert /foo///bar to /bar?  So maybe they're aiming
>at /includes/session.php, which I guess must also be scriptalias'ed?


I think that's what they're looking for. On my server, they also tried
//includes/session.php and ///includes/session.php without the
preceeding mailman stuff.

It may be some not very smart script kiddies thing that just happens to
hit a few mailman CGIs. They do seem to have some knowledge of my site
because one of the GETs was for
/mailman/private/VALID_LIST_NAME///includes/session.php?baseDir=../../../../../../../../etc/passwd
which returned the login page which they ignored.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan