[ISN] Flaw in mail-list software leaks passwords

InfoSec News isn at c4i.org
Fri Feb 11 03:39:49 EST 2005


By Robert Lemos 
Staff Writer, CNET News.com
February 10, 2005

A previously unknown vulnerability in Mailman, a popular open-source
program for managing mailing lists, has led to the theft of the
password file for a well-known security discussion group.

The theft, discovered this week and reported in an announcement to the
Full Disclosure security mailing list on Wednesday, casts uncertainty
on the security of other discussion groups that use the open-source
Mailman package. By specially crafting a Web address, an attacker can
obtain the password for every member of a discussion group.

"Anyone with a Web browser can download a file off a vulnerable
system--it's (easy to do)," said John Cartwright, co-founder and
manager of the Full Disclosure mailing list. The attack, known as a
remote directory traversal exploit, occurred on Jan. 2, according to
Cartwright's investigation. "As far as our server goes, there is no
evidence that any other files were accessed using this flaw."

The flaw could have far-reaching consequences because some mailing
list subscribers change their access code to a password that they
reuse elsewhere. Since Mailman uses subscribers' e-mail as their user
name, people who reuse passwords could put other accounts in jeopardy.

Servers that run Apache 2.0 and Mailman are suspected to be immune to
exploitation of the vulnerability, according to a security advisory on
the Mailman Web site.

"In any event, the safest approach is to assume the worst, and it is
recommended that you apply this Mailman patch as soon as possible,"  
the advisory stated.

The Full Disclosure discussion list had used Mailman running on Apache
1.3, a vulnerable configuration.

Companies and projects that distributed Mailman as part of their Linux
distribution have already started releasing fixes for the problem.  
Debian, Ubuntu and Gentoo Linux have released advisories citing the
problem and offering patches.

More information about the ISN mailing list