Mailman 1.1 Writable Variable Vulnerability

Solution:
Upgrade to a later version of Mailman, or install the supplied patch.

According to the original poster, (full message is linked to in the credit section)
"This patch was provided by the Mailman developers and later cleaned up to work against a stock 1.1 distribution. It works by only allowing listowners to change case values within the name of their list."

-------------------- snip snip --------------------
*** admin.py.bak Mon Mar 13 21:03:53 2000
--- admin.py Mon Mar 13 21:04:51 2000
***************
*** 784,789 ****
--- 784,800 ----
val = cgi_info[property].value
value = GetValidValue(lst, property, kind, val, deps)
if getattr(lst, property) != value:
+ # TBD: Ensure that lst.real_name differs only in letter
+ # case. Otherwise a security hole can potentially be opened
+ # when using an external archiver. This seems ad-hoc and
+ # could use a more general security policy.
+ if property == 'real_name' and + string.lower(value) <> string.lower(lst._internal_name):
+ # then don't install this value.
+ document.AddItem("""<p><b>real_name</b> attribute not
+ changed! It must differ from the list's name by case
+ only.<p>""")
+ continue
setattr(lst, property, value)
dirty = 1
#
-------------------- snip snip --------------------



 

Privacy Statement
Copyright 2010, SecurityFocus