Path traversal vulnerability exists in Mailman and can be exploited if Mailman's MTA is Exim.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
Medium
|
Mark Sapiro |
Bug Description
The recommended Mailman Transport for Exim invokes the Mailman mail wrapper with an unedited listname derived from the $local_part of the email address less any known suffix.
The problem with this configuration is that $local_part is not guaranteed to be safe for use as a filesystem directory name. This allows a local attacker to create a directory with a config.pck file in a location that the mailman user can access, send an email to an address with the directory traversal in it (../../
The recommended Exim configiration does check that the lists/$
Related branches
CVE References
description: | updated |
information type: | Private Security → Public Security |
Changed in mailman: | |
status: | In Progress → Fix Released |
It appears that the postfix_ to_mailman. py transport for Postfix and probably other MTA transports that deliver programmatically without using aliases are ulso vulnerable.