Vulnerabilities > CVE-2005-0202 - Unspecified vulnerability in GNU Mailman
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-78-2.NASL description Ubuntu Security Announce USN-78-1 described a path traversal vulnerability in the last seen 2020-06-01 modified 2020-06-02 plugin id 20701 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20701 title Ubuntu 4.10 : mailman vulnerabilities (USN-78-2) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-78-2. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20701); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-0202"); script_xref(name:"USN", value:"78-2"); script_name(english:"Ubuntu 4.10 : mailman vulnerabilities (USN-78-2)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Ubuntu Security Announce USN-78-1 described a path traversal vulnerability in the 'private' module of Mailman. Unfortunately this updated mailman package was broken so that the 'private' module could not be executed at all any more. The latest package version fixes this. We apologize for the inconvenience. For reference, this is the description of the original USN : An path traversal vulnerability has been discovered in the 'private' module of Mailman. A flawed path sanitation algorithm allowed the construction of URLS to arbitrary files readable by Mailman. This allowed a remote attacker to retrieve configuration and password databases, private list archives, and other files. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"solution", value:"Update the affected mailman package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mailman"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"mailman", pkgver:"2.1.5-1ubuntu2.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mailman"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-136.NASL description Updated mailman packages that correct a mailman security issue are now available. The mailman package is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 16371 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16371 title RHEL 2.1 / 3 : mailman (RHSA-2005:136) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:136. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(16371); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-0202"); script_xref(name:"RHSA", value:"2005:136"); script_name(english:"RHEL 2.1 / 3 : mailman (RHSA-2005:136)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated mailman packages that correct a mailman security issue are now available. The mailman package is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0202" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:136" ); script_set_attribute( attribute:"solution", value:"Update the affected mailman package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mailman"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:136"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mailman-2.0.13-7")) flag++; if (rpm_check(release:"RHEL3", reference:"mailman-2.1.5-24.rhel3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mailman"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-674.NASL description Due to an incompatibility between Python 1.5 and 2.1 the last mailman update did not run with Python 1.5 anymore. This problem is corrected with this update. This advisory only updates the packages updated with DSA 674-2. The version in unstable is not affected since it is not supposed to work with Python 1.5 anymore. For completeness below is the original advisory text : Two security related problems have been discovered in mailman, web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-1177 Florian Weimer discovered a cross-site scripting vulnerability in mailman last seen 2020-06-01 modified 2020-06-02 plugin id 16348 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16348 title Debian DSA-674-3 : mailman - XSS, directory traversal NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-267-1.NASL description A remote Denial of Service vulnerability was discovered in the decoder for multipart messages. Certain parts of type last seen 2020-06-01 modified 2020-06-02 plugin id 21184 published 2006-04-04 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21184 title Ubuntu 4.10 / 5.04 / 5.10 : mailman vulnerability (USN-267-1) NASL family Fedora Local Security Checks NASL id FEDORA_2005-132.NASL description There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. The extent of the vulnerability depends on what version of Apache (httpd) you are running, and (possibly) how you have configured your web server. It is believed the vulnerability is not available when Mailman is paired with a version of Apache >= 2.0, however earlier versions of Apache, e.g. version 1.3, will allow the exploit when executing a Mailman CGI script. All versions of Fedora have shipped with the later 2.0 version of Apache and thus if you are running a Fedora release you are not likely to be vulnerable to the exploit unless you have explicitly downgraded the version of your web server. However, installing this version of mailman with a security patch represents a prudent safeguard. This issue has been assigned CVE number CVE-2005-0202. The bug report associated with this is: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=147343 The errata associated with this for RHEL releases is: http://rhn.redhat.com/errata/RHSA-2005-136.html For additional peace of mind, it is recommended that you regenerate your list member passwords. Instructions on how to do this, and more information about this vulnerability are available here : http://www.list.org/security.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62254 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62254 title Fedora Core 3 : mailman-2.1.5-30.fc3 (2005-132) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-137.NASL description Updated mailman packages to correct a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Mailman is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of Mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 17191 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17191 title RHEL 4 : mailman (RHSA-2005:137) NASL family Fedora Local Security Checks NASL id FEDORA_2005-131.NASL description There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. The extent of the vulnerability depends on what version of Apache (httpd) you are running, and (possibly) how you have configured your web server. It is believed the vulnerability is not available when Mailman is paired with a version of Apache >= 2.0, however earlier versions of Apache, e.g. version 1.3, will allow the exploit when executing a Mailman CGI script. All versions of Fedora have shipped with the later 2.0 version of Apache and thus if you are running a Fedora release you are not likely to be vulnerable to the exploit unless you have explicitly downgraded the version of your web server. However, installing this version of mailman with a security patch represents a prudent safeguard. This issue has been assigned CVE number CVE-2005-0202. The bug report associated with this is: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=147343 The errata associated with this for RHEL releases is: http://rhn.redhat.com/errata/RHSA-2005-136.html For additional peace of mind, it is recommended that you regenerate your list member passwords. Instructions on how to do this, and more information about this vulnerability are available here : http://www.list.org/security.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62253 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62253 title Fedora Core 2 : mailman-2.1.5-8.fc2 (2005-131) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-037.NASL description A vulnerability was discovered in Mailman, which allows a remote directory traversal exploit using URLs of the form last seen 2020-06-01 modified 2020-06-02 plugin id 16461 published 2005-02-15 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16461 title Mandrake Linux Security Advisory : mailman (MDKSA-2005:037) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_C7CCC33F7D3111D9A9E70001020EED82.NASL description A directory traversal vulnerability in mailman allow remote attackers to read arbitrary files due to inadequate input sanitizing. This could, among other things, lead remote attackers to gaining access to the mailman configuration database (which contains subscriber email addresses and passwords) or to the mail archives for private lists. last seen 2020-06-01 modified 2020-06-02 plugin id 19117 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19117 title FreeBSD : mailman -- directory traversal vulnerability (c7ccc33f-7d31-11d9-a9e7-0001020eed82) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-11.NASL description The remote host is affected by the vulnerability described in GLSA-200502-11 (Mailman: Directory traversal vulnerability) Mailman contains an error in private.py which fails to properly sanitize input paths. Impact : An attacker could exploit this flaw to obtain arbitrary files on the web server. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16448 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16448 title GLSA-200502-11 : Mailman: Directory traversal vulnerability NASL family CGI abuses NASL id MAILMAN_PRIVATEPY_DIRECTORY_TRAVERSAL.NASL description According to its version number, the remote installation of Mailman reportedly is affected by a directory traversal vulnerability in last seen 2020-06-01 modified 2020-06-02 plugin id 16339 published 2005-02-10 reporter This script is Copyright (C) 2005-2018 George A. Theall source https://www.tenable.com/plugins/nessus/16339 title Mailman private.py true_path Function Traversal Arbitrary File Access NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2005-003.NASL description The remote host is missing Security Update 2005-003. This security update contains security fixes for the following applications : - AFP Server - Bluetooth Setup Assistant - Core Foundation - Cyrus IMAP - Cyrus SASL - Folder Permissions - Mailman - Safari These programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 17587 published 2005-03-21 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17587 title Mac OS X Multiple Vulnerabilities (Security Update 2005-003) NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_007.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:007 (mailman). Mailman is a flexible mailing list management tool. It provides mail controlled subscription front ends and also includes CGI scripts to handle subscription, moderation and archive retrieval and other options. Due to incomplete input validation the last seen 2020-06-01 modified 2020-06-02 plugin id 16454 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16454 title SUSE-SA:2005:007: mailman NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-78-1.NASL description An path traversal vulnerability has been discovered in the last seen 2020-06-01 modified 2020-06-02 plugin id 20700 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20700 title Ubuntu 4.10 : mailman vulnerabilities (USN-78-1)
Oval
| accepted | 2013-04-29T04:07:29.219-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10657 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031562.html
- http://marc.info/?l=bugtraq&m=110805795122386&w=2
- http://secunia.com/advisories/14211
- http://securitytracker.com/id?1013145
- http://www.debian.org/security/2005/dsa-674
- http://www.gentoo.org/security/en/glsa/glsa-200502-11.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:037
- http://www.novell.com/linux/security/advisories/2005_07_mailman.html
- http://www.redhat.com/support/errata/RHSA-2005-136.html
- http://www.redhat.com/support/errata/RHSA-2005-137.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10657