Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Flaw in mail-list software leaks passwords

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Flaw in mail-list software leaks passwords
Date: Fri, 11 Feb 2005 02:39:49 -0600 (CST) 
http://news.com.com/Flaw+in+mail-list+software+leaks+passwords/2100-1002_3-5571576.html

By Robert Lemos 
Staff Writer, CNET News.com
February 10, 2005

A previously unknown vulnerability in Mailman, a popular open-source
program for managing mailing lists, has led to the theft of the
password file for a well-known security discussion group.

The theft, discovered this week and reported in an announcement to the
Full Disclosure security mailing list on Wednesday, casts uncertainty
on the security of other discussion groups that use the open-source
Mailman package. By specially crafting a Web address, an attacker can
obtain the password for every member of a discussion group.

"Anyone with a Web browser can download a file off a vulnerable
system--it's (easy to do)," said John Cartwright, co-founder and
manager of the Full Disclosure mailing list. The attack, known as a
remote directory traversal exploit, occurred on Jan. 2, according to
Cartwright's investigation. "As far as our server goes, there is no
evidence that any other files were accessed using this flaw."

The flaw could have far-reaching consequences because some mailing
list subscribers change their access code to a password that they
reuse elsewhere. Since Mailman uses subscribers' e-mail as their user
name, people who reuse passwords could put other accounts in jeopardy.

Servers that run Apache 2.0 and Mailman are suspected to be immune to
exploitation of the vulnerability, according to a security advisory on
the Mailman Web site.

"In any event, the safest approach is to assume the worst, and it is
recommended that you apply this Mailman patch as soon as possible,"  
the advisory stated.

The Full Disclosure discussion list had used Mailman running on Apache
1.3, a vulnerable configuration.

Companies and projects that distributed Mailman as part of their Linux
distribution have already started releasing fixes for the problem.  
Debian, Ubuntu and Gentoo Linux have released advisories citing the
problem and offering patches.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Flaw in mail-list software leaks passwords, InfoSec News <=
Previous by Date:  [ISN] Hackers Quickly Target Newly Disclosed Microsoft Flaw, InfoSec News
Next by Date:  [ISN] Cybersecurity: It's Dollars and Sense, InfoSec News
Previous by Thread:  [ISN] Hackers Quickly Target Newly Disclosed Microsoft Flaw, InfoSec News
Next by Thread:  [ISN] Cybersecurity: It's Dollars and Sense, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]