[ Docs | Tools | Advisories | Full-Disclosure ]

Date: Wed, 9 Feb 2005 18:15:02 +0000
From: John Cartwright <johnc@grok.org.uk>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability

Hi

On 7th February 2005 I was notified of a number of potentially -
compromised Full-Disclosure subscriber accounts. Following an 
investigation it appears that the Mailman configuration database was 
obtained from lists.netsys.com on 2nd January 2005 using a remote 
directory traversal exploit for a previously unpublished 
vulnerability in Mailman 2.1.5. 

Subscriber addresses and passwords have been compromised. All list 
members are advised to change their password immediately. There do
not appear to be further signs of intrusion although investigations
continue.

The vulnerability lies in the Mailman/Cgi/private.py file:

def true_path(path):
    "Ensure that the path is safe by removing .."
    path = path.replace('../', '')
    path = path.replace('./', '')
    return path[1:]

A crafted URL fragment of the form ".../....///" will pass through the 
above function and return as "../", thus allowing directory traversal 
to occur using the following URL syntax to retrieve an arbitrary path.

/mailman/private/<list>/<path>?username=<username>&password=<password>

Expect vendor advisories nearer the end of the week, for now here is a 
suggested fix from Barry Warsaw:

SLASH = '/'

def true_path(path):
    "Ensure that the path is safe by removing .."
    parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
    return SLASH.join(parts)[1:]

This issue only affects Mailman installations running on web servers
that don't strip extraneous slashes from URLs, such as Apache 1.3.x.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0202 to this mailman issue.

Cheers
- John