Title: GNU Mailman Empty Password Blank Salt Vulnerability
Severity: MODERATE
Description:
GNU Mailman is a freely available, open source mailing list manager written in Python, and maintained by public domain.
A problem with GNU Mailman could make it possible for a remote user to gain access to list functions as an arbitrary user, or potentially higher privileges. The problem is mainly circumstantial, and involves the the existance of a blank hashed password file (zero bytes).
When a password is entered to permit entry to an access controlled section (for any user), the crypt function attempts to extract the salt of the hash from the adm.pw file. However, if the adm.pw file is zero bytes, the salt returns a blank value. When the password is then hashed with the salt, it too becomes a blank value. When these two values are compared, the result is a positive match for a password, thus permitting access.
This problem makes it possible for a remote user to gain access to a Mailman user's account, or access Mailman as the administrator of a mailing list.
Affected Products:
- Conectiva Linux 4.1.0
- Conectiva Linux 4.2.0
- Conectiva Linux 5.0.0
- Conectiva Linux 5.1.0
- Conectiva Linux 6.0.0
- Conectiva Linux 7.0.0
- GNU Mailman 2.0.0
- GNU Mailman 2.0.1
- GNU Mailman 2.0.2
- GNU Mailman 2.0.3
- GNU Mailman 2.0.4
- GNU Mailman 2.0.5
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
