[Mailman-Users] message about probes
Stephen J. Turnbull
stephen at xemacs.org
Wed Apr 29 17:28:50 CEST 2009
Mark Sapiro writes:
> Gruver, Sandi wrote:
> >!!!! 2 possible successful probes
> > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
> I saw the same thing in my Logwatch the other day. These messages are
> reported in the httpd report.
Aha, I see where I went wrong ... /mailman is an Apache ScriptAlias
(or equivalent), isn't it. (I prefer a cgi-bin ScriptAlias so it's
immediately obvious what the URL is supposed to resolve to.)
Good to know that this probably isn't a problem after all. But do
check the logs to make sure that it is mailman's CGIs that are being
> if you look in Mailman's error log, you'll see entries like 'No
> such list "includes":' and 'No such list "sqlhelp":' corresponding
> to these because the Mailman CGI's protect against these attacks.
Mark, do you understand what the attacker is trying to exploit here?
It's not at all obvious to me. Since /mailman/ is a scriptalias, and
those are both actual scripts, it's mailman/private and mailman/admin
that are going to be interpreting everything after the script name.
The next segment of the path is the listname, and anything after that
is either garbage or a query about the list, so I can't see an attempt
to exploit mailman here, despite the fact that they're specifically
invoking mailman CGIs. Am I missing something?
Do any webservers convert /foo///bar to /bar? So maybe they're aiming
at /includes/session.php, which I guess must also be scriptalias'ed?
More information about the Mailman-Users