Florian Streibelt reported: [1] http://bugs.gentoo.org/show_bug.cgi?id=259968#c0 a directory traversal flaw in the way mlmmj (Mailing List Managing Made Joyful), mailing list manager, processed users requests to edit and save list entries, originating from php-admin web interface. A remote, authenticated attacker could use these flaws to alter integrity of the system (write and / or delete arbitrary files) by providing a specially-crafted list variable content to the edit or save request. Vulnerable mlmmj versions: Issue originally reported against mlmmj-v1.2.16, but mlmmj-v1.2.17 seems still to be affected. CVE Request(s): [2] http://www.openwall.com/lists/oss-security/2010/06/23/5 Upstream bug report: [3] http://mlmmj.org/node/84
Relevant mlmmj files, Florian references in [1], are: 1, 'edit' case: BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/edit.php: 71 function mlmmj_list($name, $nicename, $text) 72 { 73 global $tpl, $topdir, $list; 74 75 $file = "$topdir/$list/control/$name"; 76 $value = ""; .. 100 $tpl = new rFastTemplate($templatedir); 101 102 $list = $HTTP_GET_VARS["list"]; 103 104 if(!isset($list)) 105 die("no list specified"); 106 107 if(!is_dir($topdir."/".$list)) 108 die("non-existent list"); 2, 'save' case: BUILD/mlmmj-1.2.17/contrib/web/php-admin/htdocs/save.php: 52 function mlmmj_list($name, $nicename, $text) 53 { 54 global $tpl, $topdir, $list,$HTTP_POST_VARS; 55 56 $file = $topdir."/".$list."/control/".$name; 57 58 if(!empty($HTTP_POST_VARS[$name])) 59 { 60 if (!$fp = fopen($file, "w")) 61 die("Couldn't open ".$file." for writing"); 62 63 fwrite($fp, $HTTP_POST_VARS[$name]); 64 fclose($fp); 65 } 66 else 67 @unlink($file); 68 69 } 70 71 // Perl's encode_entities (to be able to use tunables.pl) 72 function encode_entities($str) { return htmlentities($str); } 73 74 75 $tpl = new rFastTemplate($templatedir); 76 77 $list = $HTTP_POST_VARS["list"]; 78 79 if(!isset($list)) 80 die("no list specified"); 81 82 if(!is_dir($topdir."/".$list)) 83 die("non-existent list");
This issue affects the versions of the mlmmj package, as shipped with Fedora releases of 11, 12, and 13. This issue affects the versions of the mlmmj package, as present within EPEL-4 and EPEL-5 repositories.
This has been assigned the name CVE-2009-4896: http://www.openwall.com/lists/oss-security/2010/06/25/2
Created mlmmj tracking bugs for this issue Affects: fedora-all [bug 611549]
Hi, I'm a Debian developer and I made a patch for this issue as follow. This has been approved by upstream author. I believe that you could apply it in RedHat as well, as the current maintainer said he wouldn't fix right away. I hope this helps, Thomas Goirand (zigo) #!/bin/sh /usr/share/dpatch/dpatch-run ## 07_fix_CVE-2009-4896_php-admin_directory_traversal.patch by <zigo> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Fixes directory traversal CVE-2009-4896 (Closes: #588038). @DPATCH@ --- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/edit.php 2010-07-18 21:42:23.000000000 +0800 +++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/edit.php 2010-07-18 21:49:34.000000000 +0800 @@ -104,6 +104,9 @@ if(!isset($list)) die("no list specified"); +if ( dirname( realpath($topdir."/".$list) ) != $topdir) +die("Access not in topdir forbidden"); + if(!is_dir($topdir."/".$list)) die("non-existent list"); --- mlmmj-1.2.15.orig/contrib/web/php-admin/htdocs/save.php 2010-07-18 21:42:28.000000000 +0800 +++ mlmmj-1.2.15/contrib/web/php-admin/htdocs/save.php 2010-07-18 21:49:09.000000000 +0800 @@ -79,6 +79,9 @@ if(!isset($list)) die("no list specified"); +if ( dirname( realpath($topdir."/".$list) ) != $topdir) +die("Access not in topdir forbidden"); + if(!is_dir($topdir."/".$list)) die("non-existent list");
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.