[Mailman-Users] message about probes

Stephen J. Turnbull stephen at xemacs.org
Wed Apr 29 17:28:50 CEST 2009

Mark Sapiro writes:
 > Gruver, Sandi wrote:

 > >!!!! 2 possible successful probes
 > > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
 > I saw the same thing in my Logwatch the other day. These messages are
 > reported in the httpd report.

Aha, I see where I went wrong ... /mailman is an Apache ScriptAlias
(or equivalent), isn't it.  (I prefer a cgi-bin ScriptAlias so it's
immediately obvious what the URL is supposed to resolve to.)

Good to know that this probably isn't a problem after all.  But do
check the logs to make sure that it is mailman's CGIs that are being

 > if you look in Mailman's error log, you'll see entries like 'No
 > such list "includes":' and 'No such list "sqlhelp":' corresponding
 > to these because the Mailman CGI's protect against these attacks.

Mark, do you understand what the attacker is trying to exploit here?
It's not at all obvious to me.  Since /mailman/ is a scriptalias, and
those are both actual scripts, it's mailman/private and mailman/admin
that are going to be interpreting everything after the script name.
The next segment of the path is the listname, and anything after that
is either garbage or a query about the list, so I can't see an attempt
to exploit mailman here, despite the fact that they're specifically
invoking mailman CGIs.  Am I missing something?

Do any webservers convert /foo///bar to /bar?  So maybe they're aiming
at /includes/session.php, which I guess must also be scriptalias'ed?

More information about the Mailman-Users mailing list