[Bug 1437145] Re: Path traversal vulnerability exists in Mailman and can be exploited if Mailman's MTA is Exim.

[Mark Sapiro]

** Description changed:

  The recommended Mailman Transport for Exim invokes the Mailman mail
  wrapper with an unedited listname derived from the $local_part of the
  email address less any known suffix.
  
  The problem with this configuration is that $local_part is not
  guaranteed to be safe for use as a filesystem directory name. This
  allows a local attacker to create a directory with a config.pck file in
  a location that the mailman user can access, send an email to an address
  with the directory traversal in it
  (../../../../../tmp/fakelist at domain.com), and then wait for the queue
  runner to execute arbitrary code as the mailman user either via the
  pickle file itself or through an extend.py file in the fake list
  directory. Neither exim nor mailman has code that protects against this
  attack.
  
  The recommended Exim configiration does check that the
- lists/${lc::$local_part}/config.pck file does exist, put this check is
+ lists/${lc::$local_part}/config.pck file does exist, but this check is
  also vulnerable to the path traversal attack.

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1437145

Title:
  Path traversal vulnerability exists in Mailman and can be exploited if
  Mailman's MTA is Exim.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1437145/+subscriptions