|
Family: Remote file access --> Category: infos
Mailman private.py Directory Traversal Vulnerability Vulnerability Scan
Vulnerability Scan Summary Checks for Mailman private.py Directory Traversal Vulnerability
Detailed Explanation for this Vulnerability Test
Synopsis :
Authenticated Mailman users can view arbitrary files on the remote
host.
Description :
According to its version number, the remote installation of Mailman
reportedly is prone to a directory traversal vulnerability in
'Cgi/private.py'. The flaw comes into play only on web servers that
don't strip extraneous slashes from URLs, such as Apache 1.3.x, and
allows a list subscriber, using a specially crafted web request, to
retrieve arbitrary files from the server - any file accessible by the
user under which the web server operates, including email addresses
and passwords of subscribers of any lists hosted on the server. For
example, if '$user' and '$pass' identify a subscriber of the list
'$listname@$target', then the following URL :
http://$target/mailman/private/$listname/.../....///mailman?username=$user&password=$pass
allows access to archives for the mailing list named 'mailman' for
which the user might not otherwise be entitled.
See also :
http://mail.python.org/pipermail/mailman-announce/2005-February/000076.html
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
Solution :
Upgrade to Mailman 2.1.6b1 or apply the fix referenced in the first
URL above.
Threat Level:
Low / CVSS Base Score : 2
(AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C)
Click HERE for more information and discussions on this network vulnerability scan.
|