Hi,
Ron Brogden wrote:
Hey folks. I haven't see an official post here yet but as this has already gone out on at least one full-disclosure list I thought it worth mentioning since this will be an actively exploited 0 day:
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
Barry and I are notified on this subject but both are busy on their job so he requested for delay in the disclosure.
Basically, there is a path traversal issue with mailman 2.1.5 which will let you access any file that the Mailman user has read access to (at least under Apache 1.3, can't speak for other web servers). I have tested this on a personal box and it does indeed work as advertised.
I've tested with my 1.3.29 installation and verified apache PATH_INFO does convert '//' to '/'. Barry also wanted to clarify which apache version/installation (combination with mailman) is valnerable. Return code of 200 doesn't mean sucessful exploit. You should check mailman logs/error also. (If there is none chances are succesful exploit.)
One temporary workaround is to stop access to "/mailman/private" via your web server configuration. I would wait for a formal patch notice from the developers before patching the actual Mailman code.
Also newly introduced script bin/reset_pw.py may be useful if your list has been really exploited. (It should be veiwable from SourceForge CVS but it looks like currently in trouble.)
-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/
_______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
