All Full-Disclosure subscriber accounts were compromised using a previously unpublished flaw in Mailman 2.1.5 on January 2nd, 2005.
1371e58c1a308d16f412036e25cbf4ae34c4b163b4e6554ca896c2c8f4ec7a5c
Hi
On 7th February 2005 I was notified of a number of potentially -
compromised Full-Disclosure subscriber accounts. Following an
investigation it appears that the Mailman configuration database was
obtained from lists.netsys.com on 2nd January 2005 using a remote
directory traversal exploit for a previously unpublished
vulnerability in Mailman 2.1.5.
Subscriber addresses and passwords have been compromised. All list
members are advised to change their password immediately. There do
not appear to be further signs of intrusion although investigations
continue.
The vulnerability lies in the Mailman/Cgi/private.py file:
def true_path(path):
"Ensure that the path is safe by removing .."
path = path.replace('../', '')
path = path.replace('./', '')
return path[1:]
A crafted URL fragment of the form ".../....///" will pass through the
above function and return as "../", thus allowing directory traversal
to occur using the following URL syntax to retrieve an arbitrary path.
/mailman/private/<list>/<path>?username=<username>&password=<password>
Expect vendor advisories nearer the end of the week, for now here is a
suggested fix from Barry Warsaw:
SLASH = '/'
def true_path(path):
"Ensure that the path is safe by removing .."
parts = [x for x in path.split(SLASH) if x not in ('.', '..')]
return SLASH.join(parts)[1:]
This issue only affects Mailman installations running on web servers
that don't strip extraneous slashes from URLs, such as Apache 1.3.x.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0202 to this mailman issue.
Cheers
- John