Authenticated Mailman users can view arbitrary files on the remote host. Description : According to its version number, the remote installation of Mailman reportedly is prone to a directory traversal vulnerability in 'Cgi/private.py'. The flaw comes into play only on web servers that don't strip extraneous slashes from URLs, such as Apache 1.3.x, and allows a list subscriber, using a specially crafted web request, to retrieve arbitrary files from the server - any file accessible by the user under which the web server operates, including email addresses and passwords of subscribers of any lists hosted on the server. For example, if '$user' and '$pass' identify a subscriber of the list '$listname@$target', then the following URL : http://$target/mailman/private/$listname/.../....///mailman?username=$user&password=$pass allows access to archives for the mailing list named 'mailman' for which the user might not otherwise be entitled.

Upgrade to Mailman 2.1.6b1 or apply the fix referenced in the first URL above.

• http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
• http://mail.python.org/pipermail/mailman-announce/2005-February/000076.html

---

Updated on 2015-03-25