[Mailman-Users] What does "Possible malformed path attack" actually mean?

Sebastian Hagedorn Hagedorn at uni-koeln.de
Tue Sep 13 06:51:58 EDT 2016

--On 12. September 2016 um 18:06:14 -0700 Mark Sapiro <mark at msapiro.net> 

> On 09/12/2016 12:02 PM, Sebastian Hagedorn wrote:
>> So far I haven't been able to understand what is going on. I can't find
>> any questionable requests in Apache's access log from the GSA. Any ideas
>> what could be causing this?
> It is caused by an attempt to get a mailman URL that contains spaces or
> characters not in the printable ascii set [\x21-\x7e].
> The reason behind this is to disallow CR and LF in particular. This was
> a security enhancement in Mailman 2.1.9. From the NEWS
> - A malicious user could visit a specially crafted URI and inject an
>   apparent log message into Mailman's error log which might induce an
>   unsuspecting administrator to visit a phishing site.  This has been
>   blocked.  Thanks to Moritz Naumann for its discovery.

Thanks. I figured out that the GSA is appending %20 to one of our many 
lists name:

134.95.x.x - - [13/Sep/2016:11:33:22 +0200] "GET 
/mailman/listinfo/list-name%20 HTTP/1.0" 200 7630 "-" "gsa-crawler 
(Enterprise; T4-XXXXXXXXX; redacted at uni-koeln.de)"

Now we only have to understand why ...
    .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
                 .:.Regionales Rechenzentrum (RRZK).:.
   .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20160913/6d8d5b54/attachment-0001.sig>

More information about the Mailman-Users mailing list