Stephen J. Turnbull wrote: >Mark Sapiro writes: > > Gruver, Sandi wrote: > > > >!!!! 2 possible successful probes > > > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd > > > HTTP Response 200 > > [...]
> > if you look in Mailman's error log, you'll see entries like 'No > > such list "includes":' and 'No such list "sqlhelp":' corresponding > > to these because the Mailman CGI's protect against these attacks. > >Mark, do you understand what the attacker is trying to exploit here? >It's not at all obvious to me. Since /mailman/ is a scriptalias, and >those are both actual scripts, it's mailman/private and mailman/admin >that are going to be interpreting everything after the script name. >The next segment of the path is the listname, and anything after that >is either garbage or a query about the list, so I can't see an attempt >to exploit mailman here, despite the fact that they're specifically >invoking mailman CGIs. Am I missing something? I think they are shotgunning trying to find a session.php that presumably is vulnerable to the rest of the attack. I saw other URIs at the same time that didn't reference mailman CGIs and got 404 status. >Do any webservers convert /foo///bar to /bar? So maybe they're aiming >at /includes/session.php, which I guess must also be scriptalias'ed? I think that's what they're looking for. On my server, they also tried //includes/session.php and ///includes/session.php without the preceeding mailman stuff. It may be some not very smart script kiddies thing that just happens to hit a few mailman CGIs. They do seem to have some knowledge of my site because one of the GETs was for /mailman/private/VALID_LIST_NAME///includes/session.php?baseDir=../../../../../../../../etc/passwd which returned the login page which they ignored. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
