SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Mailman Vendors:   GNU [multiple authors]
(SuSE Issues Fix) Mailman Input Validation Hole in 'private.py' Discloses Files to Remote Users
SecurityTracker Alert ID:  1013181
SecurityTracker URL:  http://securitytracker.com/id/1013181
CVE Reference:   CVE-2005-0202   (Links to External Site)
Date:  Feb 15 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.1 - 2.1.5
Description:   An input validation vulnerability was reported in Mailman in 'private.py'. A remote user can access arbitrary files on the target system.

The true_path() function does not properly validate user-supplied input. A remote user that is a member of a private mailman list can submit a specially crafted input value to access files on the system, including the mailman configuration files and passwords.

A demonsration exploit may contain the following string:

"/...../"

Marcus Meissner reported this flaw.

Impact:   A remote user can access arbitrary files on the target system, including the mailman configuration files with user e-mail addresses and passwords.
Solution:   SuSE has issued a fix.

x86 Platform:

SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mailman-2.1.5-5.6.i586.rpm
714996a830908538e30e6109faf58d23
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mailman-2.1.5-5.6.i586.patch.rpm
0f11a3a3c2631c94eef59ef1842e7db9
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/mailman-2.1.5-5.6.src.rpm
df7d92ece2ea37cfb628b258be127b44

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mailman-2.1.4-83.13.i586.rpm
9ee909db5738e5a9d2cbe8642b36df2e
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mailman-2.1.4-83.13.i586.patch.rpm
e549d97d81eea96155d2de124c8f2be7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/mailman-2.1.4-83.13.src.rpm
33964c2c5fe71a65a04e62f12b295775

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mailman-2.1.2-93.i586.rpm
41b55c17abb0021bd9da56c5684ec0ad
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mailman-2.1.2-93.i586.patch.rpm
fc20d3fdfc0463c02809bce81ba46a8c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mailman-2.1.2-93.src.rpm
3c6b3c25093c3ccf8d385a7b1e86fdb6

SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mailman-2.1.1-110.i586.rpm
b5ee2af05bc7037e6d3e66988b9789b9
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mailman-2.1.1-110.i586.patch.rpm
c198e0a9bfb3c7bc828b1f6173834407
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mailman-2.1.1-110.src.rpm
e42568b562cccb8d572b5782a3fa2f09



x86-64 Platform:

SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/mailman-2.1.5-5.6.x86_64.rpm
ab82f4faac15b4b0cf635937b1cc2ab5
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/mailman-2.1.5-5.6.x86_64.patch.rpm
074305e1baa53bfe6959293100dc8682
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/src/mailman-2.1.5-5.6.src.rpm
df7d92ece2ea37cfb628b258be127b44

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mailman-2.1.4-83.13.x86_64.rpm
ab93f0276b9cc701224eb16c2404a7e9
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mailman-2.1.4-83.13.x86_64.patch.rpm
8dd9e3317ef89e3e2e8a184c02aacfbc
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/mailman-2.1.4-83.13.src.rpm
62e6d965c15d9795ddcda560a6f2264f

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mailman-2.1.2-93.x86_64.rpm
594f24a7c84defef412b517a4994ee88
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mailman-2.1.2-93.x86_64.patch.rpm
187da073862f34b011bda55894e9b74d
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mailman-2.1.2-93.src.rpm
0672d542ab787352b9d10b71394ffcfe

Vendor URL:  mailman.sf.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (SuSE)
Underlying OS Comments:  8.2, 9.0, 9.1, 9.2, SUSE Linux Enterprise Server 8, 9

Message History:   This archive entry is a follow-up to the message listed below.
Feb 10 2005 Mailman Input Validation Hole in 'private.py' Discloses Files to Remote Users



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC