[Mailman-Developers] Re: [Mailman-Users] security heads up - path traversal with 2.1.5

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Tue Feb 15 09:26:04 CET 2005


Barry Warsaw wrote:

> On Wed, 2005-02-09 at 17:00, Tokio Kikuchi wrote:
>>I've tested with my 1.3.29 installation and verified apache PATH_INFO 
>>does convert '//' to '/'. Barry also wanted to clarify which apache 
>>version/installation (combination with mailman) is valnerable. Return 
>>code of 200 doesn't mean sucessful exploit. You should check mailman 
>>logs/error also. (If there is none chances are succesful exploit.)
> Tokio, do you do any rewrites in your 1.3.29 config file?  I just have
> this gut feeling like there's some kind of rewrite rule that caused this
> slash-collapse behavior to be disabled.  FWIW, python.org does not do
> rewrites and we weren't vulnerable.
I might have confused about which server I was testing. I tested again
today and found all the 1.3 servers (on FreeBSD, Solaris, and BSD/OS) I
administering were vulnerable. (Not all are mailman installed). They are
all not using mod_rewrite.

Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp

More information about the Mailman-Users mailing list