ID CVE-2005-0202
Summary Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences.
References
Vulnerable Configurations
  • GNU Mailman 2.1
    cpe:2.3:a:gnu:mailman:2.1
  • GNU Mailman 2.1.1
    cpe:2.3:a:gnu:mailman:2.1.1
  • GNU Mailman 2.1.2
    cpe:2.3:a:gnu:mailman:2.1.2
  • GNU Mailman 2.1.3
    cpe:2.3:a:gnu:mailman:2.1.3
  • GNU Mailman 2.1.4
    cpe:2.3:a:gnu:mailman:2.1.4
  • GNU Mailman 2.1.5
    cpe:2.3:a:gnu:mailman:2.1.5
  • GNU Mailman 2.1b1
    cpe:2.3:a:gnu:mailman:2.1b1
CVSS
Base: 5.0 (as of 06-06-2005 - 08:57)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2005-003.NASL
    description The remote host is missing Security Update 2005-003. This security update contains security fixes for the following applications : - AFP Server - Bluetooth Setup Assistant - Core Foundation - Cyrus IMAP - Cyrus SASL - Folder Permissions - Mailman - Safari These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 17587
    published 2005-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17587
    title Mac OS X Multiple Vulnerabilities (Security Update 2005-003)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200502-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-200502-11 (Mailman: Directory traversal vulnerability) Mailman contains an error in private.py which fails to properly sanitize input paths. Impact : An attacker could exploit this flaw to obtain arbitrary files on the web server. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 16448
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16448
    title GLSA-200502-11 : Mailman: Directory traversal vulnerability
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-78-1.NASL
    description An path traversal vulnerability has been discovered in the 'private' module of Mailman. A flawed path sanitation algorithm allowed the construction of URLS to arbitrary files readable by Mailman. This allowed a remote attacker to retrieve configuration and password databases, private list archives, and other files. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20700
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20700
    title Ubuntu 4.10 : mailman vulnerabilities (USN-78-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-267-1.NASL
    description A remote Denial of Service vulnerability was discovered in the decoder for multipart messages. Certain parts of type 'message/delivery-status' or parts containing only two blank lines triggered an exception. An attacker could exploit this to crash Mailman by sending a specially crafted email to a mailing list. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 21184
    published 2006-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21184
    title Ubuntu 4.10 / 5.04 / 5.10 : mailman vulnerability (USN-267-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-037.NASL
    description A vulnerability was discovered in Mailman, which allows a remote directory traversal exploit using URLs of the form '.../....///' to access private Mailman configuration data. The vulnerability lies in the Mailman/Cgi/private.py file. Updated packages correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16461
    published 2005-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16461
    title Mandrake Linux Security Advisory : mailman (MDKSA-2005:037)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-674.NASL
    description Due to an incompatibility between Python 1.5 and 2.1 the last mailman update did not run with Python 1.5 anymore. This problem is corrected with this update. This advisory only updates the packages updated with DSA 674-2. The version in unstable is not affected since it is not supposed to work with Python 1.5 anymore. For completeness below is the original advisory text : Two security related problems have been discovered in mailman, web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-1177 Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft a URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page that would include the malicious code verbatim. - CAN-2005-0202 Several listmasters have noticed unauthorised access to archives of private lists and the list configuration itself, including the users passwords. Administrators are advised to check the webserver logfiles for requests that contain '/...../' and the path to the archives or configuration. This does only seem to affect installations running on web servers that do not strip slashes, such as Apache 1.3.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 16348
    published 2005-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16348
    title Debian DSA-674-3 : mailman - XSS, directory traversal
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-136.NASL
    description Updated mailman packages that correct a mailman security issue are now available. The mailman package is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 16371
    published 2005-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16371
    title RHEL 2.1 / 3 : mailman (RHSA-2005:136)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2005_007.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2005:007 (mailman). Mailman is a flexible mailing list management tool. It provides mail controlled subscription front ends and also includes CGI scripts to handle subscription, moderation and archive retrieval and other options. Due to incomplete input validation the 'private' CGI script which handles archive retrieval could be used to read any file on the system, including the configuration database of the mailman lists which include passwords in plain text. A remote attacker just needs a valid account on one mailing list managed by this mailman instance. This update fixes this problem and is tracked under the Mitre CVE ID CVE-2005-0202. Please see section (3), 'special instructions and notes'. Our previous mailman update (only announced in the SUSE Summary Report) additionally fixed the following two security problems: - a cross site scripting problem (CVE-2004-1177) - too weak auto generated passwords (CVE-2004-1143) This previous security fix requires the additional 'python-xml' RPM which was not required before.
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 16454
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16454
    title SUSE-SA:2005:007: mailman
  • NASL family CGI abuses
    NASL id MAILMAN_PRIVATEPY_DIRECTORY_TRAVERSAL.NASL
    description According to its version number, the remote installation of Mailman reportedly is affected by a directory traversal vulnerability in 'Cgi/private.py'. The flaw comes into play only on web servers that don't strip extraneous slashes from URLs, such as Apache 1.3.x, and allows a list subscriber, using a specially crafted web request, to retrieve arbitrary files from the server - any file accessible by the user under which the web server operates, including email addresses and passwords of subscribers of any lists hosted on the server. For example, if '$user' and '$pass' identify a subscriber of the list '$listname@$target', then the following URL : http://$target/mailman/private/$listname/.../....///mailman?username=$user&password=$pass allows access to archives for the mailing list named 'mailman' for which the user might not otherwise be entitled.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 16339
    published 2005-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16339
    title Mailman private.py true_path Function Traversal Arbitrary File Access
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C7CCC33F7D3111D9A9E70001020EED82.NASL
    description A directory traversal vulnerability in mailman allow remote attackers to read arbitrary files due to inadequate input sanitizing. This could, among other things, lead remote attackers to gaining access to the mailman configuration database (which contains subscriber email addresses and passwords) or to the mail archives for private lists.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 19117
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19117
    title FreeBSD : mailman -- directory traversal vulnerability (c7ccc33f-7d31-11d9-a9e7-0001020eed82)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-137.NASL
    description Updated mailman packages to correct a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Mailman is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of Mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17191
    published 2005-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17191
    title RHEL 4 : mailman (RHSA-2005:137)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-78-2.NASL
    description Ubuntu Security Announce USN-78-1 described a path traversal vulnerability in the 'private' module of Mailman. Unfortunately this updated mailman package was broken so that the 'private' module could not be executed at all any more. The latest package version fixes this. We apologize for the inconvenience. For reference, this is the description of the original USN : An path traversal vulnerability has been discovered in the 'private' module of Mailman. A flawed path sanitation algorithm allowed the construction of URLS to arbitrary files readable by Mailman. This allowed a remote attacker to retrieve configuration and password databases, private list archives, and other files. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20701
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20701
    title Ubuntu 4.10 : mailman vulnerabilities (USN-78-2)
oval via4
accepted 2013-04-29T04:07:29.219-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences.
family unix
id oval:org.mitre.oval:def:10657
status accepted
submitted 2010-07-09T03:56:16-04:00
title dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2005:136
  • rhsa
    id RHSA-2005:137
refmap via4
apple APPLE-SA-2005-03-21
bugtraq 20050209 [USN-78-1] Mailman vulnerability
debian DSA-674
fulldisc 20050209 Administrivia: List Compromised due to Mailman Vulnerability
gentoo GLSA-200502-11
mandrake MDKSA-2005:037
sectrack 1013145
secunia 14211
suse SUSE-SA:2005:007
Last major update 17-10-2016 - 23:08
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top