Mark Sapiro writes: > Gruver, Sandi wrote: > >!!!! 2 possible successful probes > > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd > > HTTP Response 200 > > I saw the same thing in my Logwatch the other day. These messages are > reported in the httpd report.
Aha, I see where I went wrong ... /mailman is an Apache ScriptAlias (or equivalent), isn't it. (I prefer a cgi-bin ScriptAlias so it's immediately obvious what the URL is supposed to resolve to.) Good to know that this probably isn't a problem after all. But do check the logs to make sure that it is mailman's CGIs that are being accessed! > if you look in Mailman's error log, you'll see entries like 'No > such list "includes":' and 'No such list "sqlhelp":' corresponding > to these because the Mailman CGI's protect against these attacks. Mark, do you understand what the attacker is trying to exploit here? It's not at all obvious to me. Since /mailman/ is a scriptalias, and those are both actual scripts, it's mailman/private and mailman/admin that are going to be interpreting everything after the script name. The next segment of the path is the listname, and anything after that is either garbage or a query about the list, so I can't see an attempt to exploit mailman here, despite the fact that they're specifically invoking mailman CGIs. Am I missing something? Do any webservers convert /foo///bar to /bar? So maybe they're aiming at /includes/session.php, which I guess must also be scriptalias'ed? ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
