[Mailman-Users] message about probes
Mark Sapiro
mark at msapiro.net
Thu Apr 30 01:33:17 CEST 2009
Stephen J. Turnbull wrote:
>Mark Sapiro writes:
> > Gruver, Sandi wrote:
>
> > >!!!! 2 possible successful probes
> > > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
> >
[...]
> > if you look in Mailman's error log, you'll see entries like 'No
> > such list "includes":' and 'No such list "sqlhelp":' corresponding
> > to these because the Mailman CGI's protect against these attacks.
>
>Mark, do you understand what the attacker is trying to exploit here?
>It's not at all obvious to me. Since /mailman/ is a scriptalias, and
>those are both actual scripts, it's mailman/private and mailman/admin
>that are going to be interpreting everything after the script name.
>The next segment of the path is the listname, and anything after that
>is either garbage or a query about the list, so I can't see an attempt
>to exploit mailman here, despite the fact that they're specifically
>invoking mailman CGIs. Am I missing something?
I think they are shotgunning trying to find a session.php that
presumably is vulnerable to the rest of the attack. I saw other URIs
at the same time that didn't reference mailman CGIs and got 404 status.
>Do any webservers convert /foo///bar to /bar? So maybe they're aiming
>at /includes/session.php, which I guess must also be scriptalias'ed?
I think that's what they're looking for. On my server, they also tried
//includes/session.php and ///includes/session.php without the
preceeding mailman stuff.
It may be some not very smart script kiddies thing that just happens to
hit a few mailman CGIs. They do seem to have some knowledge of my site
because one of the GETs was for
/mailman/private/VALID_LIST_NAME///includes/session.php?baseDir=../../../../../../../../etc/passwd
which returned the login page which they ignored.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list