COMMAND

    MailMan

SYSTEMS AFFECTED

    All 3.x versions of MailMan Webmail below 3.0.26

PROBLEM

    Following  is  based  on  a  Secure Reality Advisories SRADV00005.
    MailMan is a product by  Endymion corporation that provides a  web
    based  interface  to  email  via  POP3  and SMTP.  MailMan is very
    popular due to its amazingly easy setup and operation.

    MailMan is  written as  a Perl  CGI script,  the version  which is
    shipped  to  customers  is  obfuscated  in  an  attempt to prevent
    piracy.   The  code  contains  several  insecure  calls  to open()
    containing  user  specified  data.   These  calls  can  be used to
    execute commands on the remote server with the permissions of  the
    user that runs CGI scripts,  usually the web server user  which is
    in most cases 'nobody'.

    MailMan  uses  template  files  to  define  the  appearance of the
    output  so  that  customers  can  brand  the  software  to   their
    particular service (e.g ISP, Educational Institution).

    In previous versions of MailMan the location of the template files
    was  static.   Versions  above  3  developed  the  ability to have
    multiple different sets  of template files.   The location of  the
    template   files   is   defined   by   a   form   variable  called
    'ALTERNATE_TEMPLATES'.   When  opening  the  alternate   templates
    MailMan fails  to specify  the '<'  operator to  the infamous Perl
    open() statement, it  then executes an  open which looks  like the
    following:

        open("$ALTERNATE_TEMPLATES_<action>.html");

    Where <action>  is a  defined template  name.   Obviously since we
    have control  of the  $ALTERNATE_TEMPLATES variable  we easily use
    pipe redirection to  execute commands on  the remote server.   The
    following request  will execute  "id" on  a vulnerable  remote web
    server and return the output to the browser:

        /mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3Becho%20""%20%3B%20id%00

    Please note that if $mailman::strLocalTemplateLocation is  defined
    in  the  configuration  section  at  the  top of the script (it is
    commented out by default and  is rarely enabled) this attack  will
    fail since we won't  be able to effect  the beginning of the  open
    string.

SOLUTION

    Please upgrade to the latest version of MailMan (3.0.26) at

        http://www.endymion.com/products/mailman/download.htm