Bug found in list.org's Mailman software.

From: bluefur0r bluefur0r (bluefur0rat_private)
Date: Sat Jul 14 2001 - 14:03:45 PDT

Next message: Cédric Foll: "Pass commande via URL with JSP"

Previous message: H Carvey: "Re: snmp vulnerablities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,
when i was pen-testing a client who was running mailman v1.1. When mucking with the urls I found if you passed nothing to the url: www.victim.org/mailman/edithtml it spills the following information:
Bug in Mailman version 1.1

We're sorry, we hit a bug!
If you would like to help us identify the problem, please email a copy of this page to the webmaster for this site with a description of what happened. Thanks! 

Traceback:


Traceback (innermost last):
  File "/home/mailman/install/scripts/driver", line 112, in run_main
    main()
  File "/home/mailman/install/Mailman/Cgi/edithtml.py", line 49, in main
    path = os.environ['PATH_INFO']
  File "/usr/local/lib/python1.5/UserDict.py", line 12, in __getitem__
    def __getitem__(self, key): return self.data[key]
KeyError: PATH_INFO





--------------------------------------------------------------------------------

Environment variables:
Variable Value 
DOCUMENT_ROOT  /home/www/XXXXXXXXXXXXX
SERVER_ADDR  XXX.XXX.XXX.XXX  
HTTP_ACCEPT_ENCODING  gzip, deflate  
SERVER_PORT  80  
REMOTE_ADDR  XX.XX.XX.XX  
HTTP_ACCEPT_LANGUAGE  en-us  
GATEWAY_INTERFACE  CGI/1.1  
SERVER_NAME  insecure.mailmanserver.org
HTTP_CONNECTION  Keep-Alive  
HTTP_USER_AGENT  Mozilla/4.0 
HTTP_ACCEPT  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*  
REQUEST_URI  /mailman/edithtml  
PATH  /sbin:/usr/sbin:/bin:/usr/bin  
QUERY_STRING   
SCRIPT_FILENAME  /home/mailman/mailman/cgi-bin/edithtml  
HTTP_HOST        insecure.mailmanserver.org
REQUEST_METHOD  GET  
SERVER_SIGNATURE  Apache/1.3.9 Server at insecure.mailmanserver.org Port 80 
SCRIPT_NAME  /mailman/edithtml  
SERVER_ADMIN  xxxat_private
SERVER_SOFTWARE  Apache/1.3.9 (Unix)  
PYTHONPATH  /home/mailman/install  
SERVER_PROTOCOL  HTTP/1.1  
REMOTE_PORT  61464  

Obviously this gives an attacker a good amount of information. From testing other hosts about the internet i've come to the following conclusions...
All are insecure up to version 2.0. the 2.0betaX's are insecure but 2.0 itself is not. 
if you have any further questions please let me know at the following address:
idawsonat_private
I've notified the people who run list.org but since it is patched after v2.0 i imagine they already know. But i did not see anything on my exploit searches that would point to this ever being discovered/discussed. Thanks,
isaac.
From my testings:
2.0beta6 vuln
2.0beta2 vuln
1.1 vuln
-=================================-
2.0.1 not vuln
version 2.0.5 (101270) not vuln
2.0.5 not vuln
version 2.0rc1 not vuln
2.0.3 not vuln
2.0 not vuln


=================================================================
Kies een origineel e-mailadres op www.emails.nl

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Cédric Foll: "Pass commande via URL with JSP"
Previous message: H Carvey: "Re: snmp vulnerablities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 09:58:58 PDT