Hello all, when i was pen-testing a client who was running mailman v1.1. When mucking with the urls I found if you passed nothing to the url: www.victim.org/mailman/edithtml it spills the following information: Bug in Mailman version 1.1 We're sorry, we hit a bug! If you would like to help us identify the problem, please email a copy of this page to the webmaster for this site with a description of what happened. Thanks! Traceback: Traceback (innermost last): File "/home/mailman/install/scripts/driver", line 112, in run_main main() File "/home/mailman/install/Mailman/Cgi/edithtml.py", line 49, in main path = os.environ['PATH_INFO'] File "/usr/local/lib/python1.5/UserDict.py", line 12, in __getitem__ def __getitem__(self, key): return self.data[key] KeyError: PATH_INFO -------------------------------------------------------------------------------- Environment variables: Variable Value DOCUMENT_ROOT /home/www/XXXXXXXXXXXXX SERVER_ADDR XXX.XXX.XXX.XXX HTTP_ACCEPT_ENCODING gzip, deflate SERVER_PORT 80 REMOTE_ADDR XX.XX.XX.XX HTTP_ACCEPT_LANGUAGE en-us GATEWAY_INTERFACE CGI/1.1 SERVER_NAME insecure.mailmanserver.org HTTP_CONNECTION Keep-Alive HTTP_USER_AGENT Mozilla/4.0 HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* REQUEST_URI /mailman/edithtml PATH /sbin:/usr/sbin:/bin:/usr/bin QUERY_STRING SCRIPT_FILENAME /home/mailman/mailman/cgi-bin/edithtml HTTP_HOST insecure.mailmanserver.org REQUEST_METHOD GET SERVER_SIGNATURE Apache/1.3.9 Server at insecure.mailmanserver.org Port 80 SCRIPT_NAME /mailman/edithtml SERVER_ADMIN xxxat_private SERVER_SOFTWARE Apache/1.3.9 (Unix) PYTHONPATH /home/mailman/install SERVER_PROTOCOL HTTP/1.1 REMOTE_PORT 61464 Obviously this gives an attacker a good amount of information. From testing other hosts about the internet i've come to the following conclusions... All are insecure up to version 2.0. the 2.0betaX's are insecure but 2.0 itself is not. if you have any further questions please let me know at the following address: idawsonat_private I've notified the people who run list.org but since it is patched after v2.0 i imagine they already know. But i did not see anything on my exploit searches that would point to this ever being discovered/discussed. Thanks, isaac. From my testings: 2.0beta6 vuln 2.0beta2 vuln 1.1 vuln -=================================- 2.0.1 not vuln version 2.0.5 (101270) not vuln 2.0.5 not vuln version 2.0rc1 not vuln 2.0.3 not vuln 2.0 not vuln ================================================================= Kies een origineel e-mailadres op www.emails.nl ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 09:58:58 PDT