Mailman private.py true_path Function Traversal Arbitrary File Access

🗓️ 10 Feb 2005 00:00:00Reported by TenableType

Mailman has a directory traversal flaw allowing arbitrary file access on certain web servers.

Reporter	Title	Published	Views	Family All 56
Tenable Nessus	GNU Mailman < 2.1.6 Directory Traversal Arbitrary File Access	10 Feb 200500:00	–	nessus
Tenable Nessus	Debian DSA-674-3 : mailman - XSS, directory traversal	10 Feb 200500:00	–	nessus
Tenable Nessus	Fedora Core 2 : mailman-2.1.5-8.fc2 (2005-131)	24 Sep 201200:00	–	nessus
Tenable Nessus	Fedora Core 3 : mailman-2.1.5-30.fc3 (2005-132)	24 Sep 201200:00	–	nessus
Tenable Nessus	FreeBSD : mailman -- directory traversal vulnerability (c7ccc33f-7d31-11d9-a9e7-0001020eed82)	13 Jul 200500:00	–	nessus
Tenable Nessus	GLSA-200502-11 : Mailman: Directory traversal vulnerability	14 Feb 200500:00	–	nessus
Tenable Nessus	Mac OS X Multiple Vulnerabilities (Security Update 2005-003)	21 Mar 200500:00	–	nessus
Tenable Nessus	Mandrake Linux Security Advisory : mailman (MDKSA-2005:037)	15 Feb 200500:00	–	nessus
Tenable Nessus	RHEL 2.1 / 3 : mailman (RHSA-2005:136)	10 Feb 200500:00	–	nessus
Tenable Nessus	RHEL 4 : mailman (RHSA-2005:137)	22 Feb 200500:00	–	nessus

Source	Link
seclists	www.seclists.org/fulldisclosure/2005/Feb/205
nessus	www.nessus.org/u
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 70300
#
# This script was written by George A. Theall, <[email protected]>.
#
# See the Nessus Scripts License for details.
#

# Changes by Tenable:
# - Revised plugin title, family change (9/5/09)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(16339);
  script_version("1.27");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");

  script_cve_id("CVE-2005-0202");
  script_bugtraq_id(12504);

  script_name(english:"Mailman private.py true_path Function Traversal Arbitrary File Access");

  script_set_attribute(attribute:"synopsis", value:
"Authenticated Mailman users can view arbitrary files on the remote
host.");
  script_set_attribute(attribute:"description", value:
"According to its version number, the remote installation of Mailman
reportedly is affected by a directory traversal vulnerability in
'Cgi/private.py'.  The flaw comes into play only on web servers that
don't strip extraneous slashes from URLs, such as Apache 1.3.x, and
allows a list subscriber, using a specially crafted web request, to
retrieve arbitrary files from the server - any file accessible by the
user under which the web server operates, including email addresses
and passwords of subscribers of any lists hosted on the server.  For
example, if '$user' and '$pass' identify a subscriber of the list
'$listname@$target', then the following URL :

  http://$target/mailman/private/$listname/.../....///mailman?username=$user&password=$pass

allows access to archives for the mailing list named 'mailman' for
which the user might not otherwise be entitled.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Feb/205");
  # https://mail.python.org/pipermail/mailman-announce/2005-February/000076.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddd40865");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mailman 2.1.6b1 or apply the fix referenced in the first
URL above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:gnu:mailman");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2025 George A. Theall");

  script_dependencies("mailman_detect.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("http_func.inc");


port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) exit(0);

# Web servers to ignore because it's known they strip extra slashes from URLs.
#
# nb: these can be regex patterns.
web_servers_to_ignore = make_list(
  "Apache(-AdvancedExtranetServer)?/2",                      # Apache 2.x
  'Apache.*/.* \\(Darwin\\)'
);

# Skip check if the server's type and version indicate it's not a problem,
# unless report paranoia is set high.
banner = get_http_banner(port: port);
if (banner && report_paranoia < 2) {
  web_server = strstr(banner, "Server:");
  if (web_server) {
    web_server = web_server - "Server: ";
    web_server = web_server - strstr(web_server, '\r');
    foreach pat (web_servers_to_ignore) {
      if (ereg(string:web_server, pattern:pat)) {
        debug_print("skipping because web server claims to be '", web_server, "'.");
        exit(0);
      }
    }
  }
}


# Test an install.
install = get_kb_item(string("www/", port, "/Mailman"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  ver = matches[1];

  if (ver =~ "^2\.(0.*|1($|[^0-9.]|\.[1-5]($|[^0-9])))") {
    security_note(port);
  }
}

14 May 2025 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 25

EPSS0.02731