What does "Possible malformed path attack" actually mean?
Hi,
today I updated our installation of Mailman to version 2.1.23. Prior to the upgrade there were "Possible malformed path attack" log entries, but without any further details I never bothered to look for their cause. After the update I can now see where they are coming from, and it's our own Google Search Appliance (GSA).
So far I haven't been able to understand what is going on. I can't find any questionable requests in Apache's access log from the GSA. Any ideas what could be causing this?
Thanks Sebastian
Sebastian Hagedorn - Weyertal 121, Zimmer 2.02 Regionales Rechenzentrum (RRZK) Universität zu Köln / Cologne University - Tel. +49-221-470-89578
On 09/12/2016 12:02 PM, Sebastian Hagedorn wrote:
It is caused by an attempt to get a mailman URL that contains spaces or characters not in the printable ascii set [\x21-\x7e].
The reason behind this is to disallow CR and LF in particular. This was a security enhancement in Mailman 2.1.9. From the NEWS
- A malicious user could visit a specially crafted URI and inject an apparent log message into Mailman's error log which might induce an unsuspecting administrator to visit a phishing site. This has been blocked. Thanks to Moritz Naumann for its discovery.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
--On 12. September 2016 um 18:06:14 -0700 Mark Sapiro <mark@msapiro.net> wrote:
Thanks. I figured out that the GSA is appending %20 to one of our many lists name:
134.95.x.x - - [13/Sep/2016:11:33:22 +0200] "GET /mailman/listinfo/list-name%20 HTTP/1.0" 200 7630 "-" "gsa-crawler (Enterprise; T4-XXXXXXXXX; redacted@uni-koeln.de)"
Now we only have to understand why ...
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:..:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
On 09/12/2016 12:02 PM, Sebastian Hagedorn wrote:
It is caused by an attempt to get a mailman URL that contains spaces or characters not in the printable ascii set [\x21-\x7e].
The reason behind this is to disallow CR and LF in particular. This was a security enhancement in Mailman 2.1.9. From the NEWS
- A malicious user could visit a specially crafted URI and inject an apparent log message into Mailman's error log which might induce an unsuspecting administrator to visit a phishing site. This has been blocked. Thanks to Moritz Naumann for its discovery.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
--On 12. September 2016 um 18:06:14 -0700 Mark Sapiro <mark@msapiro.net> wrote:
Thanks. I figured out that the GSA is appending %20 to one of our many lists name:
134.95.x.x - - [13/Sep/2016:11:33:22 +0200] "GET /mailman/listinfo/list-name%20 HTTP/1.0" 200 7630 "-" "gsa-crawler (Enterprise; T4-XXXXXXXXX; redacted@uni-koeln.de)"
Now we only have to understand why ...
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:..:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
participants (2)
-
Mark Sapiro -
Sebastian Hagedorn