Mailman private.py true_path Function Traversal Arbitrary File Access

low Nessus Plugin ID 16339

Synopsis

Authenticated Mailman users can view arbitrary files on the remote host.

Description

According to its version number, the remote installation of Mailman reportedly is affected by a directory traversal vulnerability in 'Cgi/private.py'. The flaw comes into play only on web servers that don't strip extraneous slashes from URLs, such as Apache 1.3.x, and allows a list subscriber, using a specially crafted web request, to retrieve arbitrary files from the server - any file accessible by the user under which the web server operates, including email addresses and passwords of subscribers of any lists hosted on the server. For example, if '$user' and '$pass' identify a subscriber of the list '$listname@$target', then the following URL :

http://$target/mailman/private/$listname/.../....///mailman?username=$user&password=$pass

allows access to archives for the mailing list named 'mailman' for which the user might not otherwise be entitled.

Solution

Upgrade to Mailman 2.1.6b1 or apply the fix referenced in the first URL above.

See Also

https://seclists.org/fulldisclosure/2005/Feb/205

http://www.nessus.org/u?ddd40865

Plugin Details

Severity: Low

ID: 16339

File Name: mailman_privatepy_directory_traversal.nasl

Version: 1.26

Type: remote

Family: CGI abuses

Published: 2/10/2005

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 3

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:gnu:mailman

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2/9/2005

Reference Information

CVE: CVE-2005-0202

BID: 12504