*** This bug has been split off bug 147342 ***
------- Original comment by Mark J. Cox (Security Response Team) on 2005.02.07
A flaw in the true_path function of Mailman was discovered. A remote attacker
could make use of this flaw with a carefully crafted URL and gain access to
files such a configuration files or list archives that should otherwise be
Administrators can see if attempts to use this flaw has been made by exmaining
their web server access logs for requests containing ".....///"
Now public, removing embargo, push at will.
was pushed on Thursday 2/10/05