lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050209181502.GA26136@grok.org.uk>
From: johnc at grok.org.uk (John Cartwright)
Subject: Administrivia: List Compromised due to Mailman
	Vulnerability

Hi

On 7th February 2005 I was notified of a number of potentially -
compromised Full-Disclosure subscriber accounts. Following an 
investigation it appears that the Mailman configuration database was 
obtained from lists.netsys.com on 2nd January 2005 using a remote 
directory traversal exploit for a previously unpublished 
vulnerability in Mailman 2.1.5. 

Subscriber addresses and passwords have been compromised. All list 
members are advised to change their password immediately. There do
not appear to be further signs of intrusion although investigations
continue.

The vulnerability lies in the Mailman/Cgi/private.py file:

def true_path(path):
    "Ensure that the path is safe by removing .."
    path = path.replace('../', '')
    path = path.replace('./', '')
    return path[1:]

A crafted URL fragment of the form ".../....///" will pass through the 
above function and return as "../", thus allowing directory traversal 
to occur using the following URL syntax to retrieve an arbitrary path.

/mailman/private/<list>/<path>?username=<username>&password=<password>

Expect vendor advisories nearer the end of the week, for now here is a 
suggested fix from Barry Warsaw:

SLASH = '/'

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]

This issue only affects Mailman installations running on web servers
that don't strip extraneous slashes from URLs, such as Apache 1.3.x.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0202 to this mailman issue.

Cheers
- John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ