[Mailman-Users] What does "Possible malformed path attack" actually mean?
Sebastian Hagedorn
Hagedorn at uni-koeln.de
Tue Sep 13 06:51:58 EDT 2016
--On 12. September 2016 um 18:06:14 -0700 Mark Sapiro <mark at msapiro.net>
wrote:
> On 09/12/2016 12:02 PM, Sebastian Hagedorn wrote:
>>
>> So far I haven't been able to understand what is going on. I can't find
>> any questionable requests in Apache's access log from the GSA. Any ideas
>> what could be causing this?
>
>
> It is caused by an attempt to get a mailman URL that contains spaces or
> characters not in the printable ascii set [\x21-\x7e].
>
> The reason behind this is to disallow CR and LF in particular. This was
> a security enhancement in Mailman 2.1.9. From the NEWS
>
> - A malicious user could visit a specially crafted URI and inject an
> apparent log message into Mailman's error log which might induce an
> unsuspecting administrator to visit a phishing site. This has been
> blocked. Thanks to Moritz Naumann for its discovery.
Thanks. I figured out that the GSA is appending %20 to one of our many
lists name:
134.95.x.x - - [13/Sep/2016:11:33:22 +0200] "GET
/mailman/listinfo/list-name%20 HTTP/1.0" 200 7630 "-" "gsa-crawler
(Enterprise; T4-XXXXXXXXX; redacted at uni-koeln.de)"
Now we only have to understand why ...
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20160913/6d8d5b54/attachment-0001.sig>
More information about the Mailman-Users
mailing list