Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 259968 (CVE-2009-4896)

Summary: <net-mail/mlmmj-1.2.17.1: php admin webinterface input validation vulnerability (CVE-2009-4896)
Product: Gentoo Security Reporter: Florian Streibelt <gentoo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Florian Streibelt 2009-02-23 02:23:50 UTC
102 $list = $HTTP_GET_VARS["list"];
[...]
107 if(!is_dir($topdir."/".$list))
108 die("non-existent list");

the name of the list allows all characters like '../' in it.

one can check the existence of arbitrary directories and might be able to write files.


it might also be possible to delete arbitrary files:

56     $file = $topdir."/".$list."/control/".$name;
[...]
67         @unlink($file);




Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-11 00:15:12 UTC
seems this is something we should take a look at
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-22 16:44:39 UTC
Florian, did you report this upstream yet?
Comment 3 Florian Streibelt 2010-06-25 22:56:39 UTC
(In reply to comment #2)
> Florian, did you report this upstream yet?
 
On Wed, 06/23/2010 - 20:40 —  http://mlmmj.org/node/84  
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:56:50 UTC
1.2.17 is out, fixing the issue, please provide an updated ebuild.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-08-03 05:55:53 UTC
craig: 1.2.17 has been in the tree since February...
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-03 10:14:17 UTC
Where have I been looking? Oo

Arches, please test and mark stable:
=net-mail/mlmmj-1.2.17
Target keywords : "amd64 ppc x86"
Comment 7 Andreas Schürch gentoo-dev 2010-08-03 11:01:00 UTC
ehm... I would say that 1.2.17 doesn't solve the issue!? 
The flaw was reported in June, fixed in july, but 1.2.17 is released in January!
At least the first reported issue looks exactly the same in 1.2.17!
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-03 14:25:40 UTC
This is my personal failbug, sorry.
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 12:54:20 UTC
CVE-2009-4896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4896):
  Multiple directory traversal vulnerabilities in the mlmmj-php-admin
  web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15
  through 1.2.17 allow remote authenticated users to overwrite, create,
  or delete arbitrary files, or determine the existence of arbitrary
  directories, via a .. (dot dot) in a list name in a (1) edit or (2)
  save action.

Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-08-24 17:15:16 UTC
1.2.17.1 is in the tree now with the fixes from upstream.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-24 18:46:21 UTC
Arches, please test and mark stable:
=net-mail/mlmmj-1.2.17.1
Target keywords : "amd64 ppc x86"
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2010-08-24 22:01:56 UTC
amd64 done
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-25 02:00:36 UTC
x86 stable
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2010-09-11 21:49:42 UTC
Marked ppc stable.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 18:58:35 UTC
GLSA Vote: yes.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:46:47 UTC
Vote: YES, glsa request filed.
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-11-18 08:01:16 UTC
This bug is too old. We will not produce glsa here.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2014-12-07 20:50:47 UTC
Setting back to non-resolved for glsa
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:20:33 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).