[Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability

Hi

On 7th February 2005 I was notified of a number of potentially -
compromised Full-Disclosure subscriber accounts. Following an
investigation it appears that the Mailman configuration database was
obtained from lists.netsys.com on 2nd January 2005 using a remote
directory traversal exploit for a previously unpublished
vulnerability in Mailman 2.1.5.

Subscriber addresses and passwords have been compromised. All list
members are advised to change their password immediately. There do
not appear to be further signs of intrusion although investigations
continue.

The vulnerability lies in the Mailman/Cgi/private.py file:

def true_path(path):
"Ensure that the path is safe by removing …"
path = path.replace('…/', '')
path = path.replace('./', '')
return path[1:]

A crafted URL fragment of the form "…/…///" will pass through the
above function and return as "…/", thus allowing directory traversal
to occur using the following URL syntax to retrieve an arbitrary path.

/mailman/private/<list>/<path>?username=<username>&password=<password>

Expect vendor advisories nearer the end of the week, for now here is a
suggested fix from Barry Warsaw:

SLASH = '/'

def true_path(path):
"Ensure that the path is safe by removing …"
parts = [x for x in path.split(SLASH) if x not in ('.', '…')]
return SLASH.join(parts)[1:]

This issue only affects Mailman installations running on web servers
that don't strip extraneous slashes from URLs, such as Apache 1.3.x.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0202 to this mailman issue.

Cheers

• John

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html