Vulnerabilities > CVE-2004-0412 - Password Retrieval vulnerability in GNU Mailman
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Nessus
NASL family Misc. NASL id MAILMAN_PASSWORD_RETRIEVAL.NASL description The target is running a version of the Mailman mailing list software that allows a list subscriber to retrieve the mailman password of any other subscriber by means of a specially crafted mail message to the server. That is, a message sent to $listname-request@$target containing the lines : password address=$victim password address=$subscriber will return the password of both $victim and $subscriber for the list $listname@$target. ***** Nessus has determined the vulnerability exists on the target ***** simply by looking at the version number of Mailman installed ***** there. last seen 2020-06-01 modified 2020-06-02 plugin id 12253 published 2004-05-26 reporter This script is Copyright (C) 2004-2018 George A. Theall source https://www.tenable.com/plugins/nessus/12253 title Mailman Crated Email Remote User Password Disclosure code # # This script was written by George A. Theall, <[email protected]>. # # See the Nessus Scripts License for details. # # Changes by Tenable: # - Revised plugin title, output formatting (9/2/09) # - Revised plugin title (8/13/12) include("compat.inc"); if (description) { script_id(12253); script_version("1.22"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2004-0412"); script_bugtraq_id(10412); script_xref(name:"CLSA", value:"CLSA-2004:842"); script_xref(name:"FLSA", value:"FEDORA-2004-1734"); script_xref(name:"GLSA", value:"GLSA-200406-04"); script_xref(name:"MDKSA", value:"MDKSA-2004:051"); script_name(english:"Mailman Crated Email Remote User Password Disclosure"); script_summary(english:"Checks for Mailman Password Retrieval Vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a mailing list application that is affected by a password disclosure vulnerability." ); script_set_attribute(attribute:"description", value: "The target is running a version of the Mailman mailing list software that allows a list subscriber to retrieve the mailman password of any other subscriber by means of a specially crafted mail message to the server. That is, a message sent to $listname-request@$target containing the lines : password address=$victim password address=$subscriber will return the password of both $victim and $subscriber for the list $listname@$target. ***** Nessus has determined the vulnerability exists on the target ***** simply by looking at the version number of Mailman installed ***** there." ); script_set_attribute(attribute:"see_also", value:"http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to Mailman version 2.1.5 or newer as this reportedly fixes the issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/05/26"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/05/15"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:gnu:mailman"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 George A. Theall"); script_family(english:"Misc."); script_dependencie("global_settings.nasl", "http_version.nasl", "mailman_detect.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); if (!get_port_state(port)) exit(0); debug_print(level: 2, "checking for Mailman Password Retrieval vulnerability on port ", port, "."); # Check each installed instance, stopping if we find a vulnerability. installs = get_kb_list(string("www/", port, "/Mailman")); if (isnull(installs)) exit(0); foreach install (installs) { matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { ver = matches[1]; dir = matches[2]; debug_print(level:2, "checking version ", ver, " under ", dir, "."); if (ereg(pattern:"^2\.1(b[2-6]|rc1|\.[1-4]([^0-9]|$))", string:ver)) { security_warning(port); exit(0); } } }NASL family Fedora Local Security Checks NASL id FEDORA_2004-168.NASL description Fixes security issue CVE-2004-0412 noted in bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559 Mailman subscriber passwords could be retrieved by a remote attacker. Security hole is fixed in mailman-2.1.5 Important Installation Note: Some users have reported problems with bad queue counts after upgrading to version 2.1.5, the operating assumption is this was caused by performing an install while mailman was running. Prior to installing this rpm stop the mailman service via: % /sbin/service mailman stop Then after installation completes restart the service via: % /sbin/service mailman start Red Hat RPM versions of mailman 2.1.5-6 and above have enhanced the init.d script that controls the mailman service so that last seen 2020-06-01 modified 2020-06-02 plugin id 13722 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13722 title Fedora Core 2 : mailman-2.1.5-7 (2004-168) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_AD9D251834714737B60B9A1F51023B28.NASL description Barry Warsaw reports : Today I am releasing Mailman 2.1.5, a bug fix release [...] This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords. It is thus highly recommended that all existing sites upgrade to the latest version. last seen 2020-06-01 modified 2020-06-02 plugin id 19079 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19079 title FreeBSD : mailman -- password disclosure (ad9d2518-3471-4737-b60b-9a1f51023b28) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-051.NASL description Mailman versions >= 2.1 have an issue where 3rd parties can retrieve member passwords from the server. The updated packages have a patch backported from 2.1.5 to correct the issue. last seen 2020-06-01 modified 2020-06-02 plugin id 14150 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14150 title Mandrake Linux Security Advisory : mailman (MDKSA-2004:051) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200406-04.NASL description The remote host is affected by the vulnerability described in GLSA-200406-04 (Mailman: Member password disclosure vulnerability) Mailman contains an unspecified vulnerability in the handling of request emails. Impact : By sending a carefully crafted email request to the mailman server an attacker could obtain member passwords. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 14515 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14515 title GLSA-200406-04 : Mailman: Member password disclosure vulnerability NASL family Fedora Local Security Checks NASL id FEDORA_2004-167.NASL description Fixes security issue CVE-2004-0412 noted in bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559 Mailman subscriber passwords could be retrieved by a remote attacker. Security hole is fixed in mailman-2.1.5 Important Installation Note: Some users have reported problems with bad queue counts after upgrading to version 2.1.5, the operating assumption is this was caused by performing an install while mailman was running. Prior to installing this rpm stop the mailman service via: % /sbin/service mailman stop Then after installation completes restart the service via: % /sbin/service mailman start Red Hat RPM versions of mailman 2.1.5-6 and above have enhanced the init.d script that controls the mailman service so that last seen 2020-06-01 modified 2020-06-02 plugin id 13721 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13721 title Fedora Core 1 : mailman-2.1.5-6 (2004-167)
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000842
- http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html
- http://marc.info/?l=bugtraq&m=109034869927955&w=2
- http://secunia.com/advisories/11701
- http://security.gentoo.org/glsa/glsa-200406-04.xml
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:051
- http://www.securityfocus.com/bid/10412
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16256