On Wed, 2005-02-09 at 17:00, Tokio Kikuchi wrote: > I've tested with my 1.3.29 installation and verified apache PATH_INFO > does convert '//' to '/'. Barry also wanted to clarify which apache > version/installation (combination with mailman) is valnerable. Return > code of 200 doesn't mean sucessful exploit. You should check mailman > logs/error also. (If there is none chances are succesful exploit.)
Tokio, do you do any rewrites in your 1.3.29 config file? I just have this gut feeling like there's some kind of rewrite rule that caused this slash-collapse behavior to be disabled. FWIW, python.org does not do rewrites and we weren't vulnerable. -Barry
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org As a general rule, if you have questions regarding sensitive security issues, you can post them to [EMAIL PROTECTED], which is a closed distribution list. Please do not otherwise discuss sensitive security issues on any public mailing list, until such time as an official announcement has been made, including availability of a patch, etc.... Even if the issue has been publicly discussed in other forums, you should wait for the official announcements before discussing them publicly, whether on mailman-users, mailman-developers, or elsewhere.
