Majordomo 2 _list_file_get() directory traversal vulnerability

Overview

Majordomo 2 contains a directory traversal vulnerability in the _list_file_get()function, which may allow a remote, unauthenticated attacker to obtain sensitive information.

Description

Majordomo 2 contains a directory traversal vulnerability in the _list_file_get()function (lib/Majordomo.pm) caused by an input validation error when handling files. An attacker can exploit this vulnerability via directory traversal specifiers sent in a specially crafted request to any of the application’s interfaces (e.g. email or web).

Additional information regarding this vulnerability can be found in this Sitewatch Advisory.

---

Impact

A remote unauthenticated attacker could obtain sensitive information.

---

Solution

Update
Majordomo 2 recommends users update to snapshot 20110204 or later.

---

Vendor Information

The vulnerability is reported in snapshots prior to 20110204.

---

363726

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Majordomo 2 Affected

Updated: February 04, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://ftp.mj2.org/pub/mj2/snapshots/2011-02/&gt;

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.us-cert.gov/current/index.html#majordomo_vulnerable_to_directory_traversal&gt;
• <https://sitewat.ch/en/Advisory/View/1&gt;
• <http://ftp.mj2.org/pub/mj2/snapshots/2011-02/&gt;

Acknowledgements

This vulnerability was reported by Michael Brooks.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2011-0049
Severity Metric:	25.20 Date Public: