Mailing list application Majordomo 2 reveals file content
From http://www.h-online.com/security/new...t-1183034.html
Quote:
A bug in the way path names are evaluated means that it is possible to view the content of arbitrary files on a Majordomo mailing list system using the help command. The vulnerability can be exploited via both the web and email interfaces in Mojordomo2. According to a security advisory, simply sending an email with the content help ../../../../../../../../../../../../../etc/passwd to the Majordomo account is sufficient to receive a response containing the content of the /etc/password file. The bug is fixed in snapshot versions majordomo-20110125 (direct download) and later.)
|
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Last edited by J65nko; 3rd February 2011 at 08:56 PM.
Reason: Stressing it is Majordomo 2 (thanks jggimi )
|