[Mailman-Users] Re: Critical security update for Mailman 2.1.5

John Dennis jdennis at redhat.com
Fri Feb 11 17:18:05 CET 2005


On Fri, 2005-02-11 at 08:34 -0500, AJ wrote:
> This also stripped it down for me.
> I do not see any logs in error or mischief.
> How can I get it to actually log the attempt so I know this is working.

If you are running with apache >= 2.0, which many sites are, then apache
will strip the malicious components of the URL and the defense in
true_path will never get triggered because it will never see the
malformed URL passed by apache. Thus there is no way to test it with
apache >= 2.0, in fact you're not vulnerable to begin with. 
-- 
John Dennis <jdennis at redhat.com>




More information about the Mailman-Users mailing list