CVE-2011-0049
published 2011-02-04CVE-2011-0049: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary…
PriorityP359medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
95.39%
99.9th percentile
Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mj2 | majordomo_2 | <= 20110203 | — |
| mj2 | majordomo_2 | <= 20110130 | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=./..././..././..././..././..././..././..././.../etc/passwd↗
- →Detect HTTP GET requests to /cgi-bin/mj_wwwusr with 'func=help' and 'extra=' parameter containing directory traversal sequences (e.g., '../', './.../'). ↗
- →Detect the bypass traversal sequence './.../' in HTTP requests, which collapses to '../' after the flawed regex substitution ($file =~ s!/?\.\./? !!g). ↗
- →Monitor inbound emails to the Majordomo mail interface with body content starting with 'help' followed by path traversal sequences (e.g., 'help ../../../../../../../../../../../../../etc/passwd'), as the vulnerability is exploitable via SMTP as well as HTTP. ↗
- →The Metasploit module targets this vulnerability and by default attempts to retrieve the Majordomo config.pl file; monitor for requests to mj_wwwusr fetching config.pl via traversal. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59mr-6pw8-2c97: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo
ghsa_unreviewed·2022-05-03
CVE-2011-0049 [MEDIUM] CWE-22 GHSA-59mr-6pw8-2c97: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo
Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
GHSA
GHSA-rjjv-8xhv-gg57: The _list_file_get function in lib/Majordomo
ghsa_unreviewed·2022-05-03·CVSS 5.0
CVE-2011-0063 [MEDIUM] CWE-22 GHSA-rjjv-8xhv-gg57: The _list_file_get function in lib/Majordomo
The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the "extra" parameter to the help command, which causes the regular expression to produce .. (dot dot) sequences. NOTE: this vulnerability is due to an incomplete fix for CVE-2011-0049.
No detection rules found.
Exploit-DB
Majordomo2 - 'SMTP/HTTP' Directory Traversal
exploitdb·2011-02-03·CVSS 5.0
CVE-2011-0063 [MEDIUM] Majordomo2 - 'SMTP/HTTP' Directory Traversal
Majordomo2 - 'SMTP/HTTP' Directory Traversal
---
Original Advisory: https://sitewat.ch/en/Advisory/View/1
Credit: Michael Brooks (https://sitewat.ch)
Vulnerability: Directory Traversal
Software: Majordomo2
Identifier:CVE-2011-0049
Vendor: http://www.mj2.org/
Affected Build: 20110121 and prior
Google dork:inurl:mj_wwwusr
Special thanks to Dave Miller, Reed Loden and the rest of the Mozilla
security team for handling the issue.
This vulnerability is exploitable via ALL of Majordomo2's interfaces.
*Including
e-mail*. Send an email to majordomo's mail interface (for example:
[email protected]) with the body of the message as follows:
help ../../../../../../../../../../../../../etc/passwd
I'll give you one guess as to the contents of the response email ;).
PoC for HTTP:
http://localh
Metasploit
Majordomo2 _list_file_get() Directory Traversal
metasploit
Majordomo2 _list_file_get() Directory Traversal
Majordomo2 _list_file_get() Directory Traversal
This module exploits a directory traversal vulnerability present in the _list_file_get() function of Majordomo2 (help function). By default, this module will attempt to download the Majordomo config.pl file.
Nuclei
Majordomo2 - SMTP/HTTP Directory Traversal
nuclei·CVSS 5.0
CVE-2011-0049 [MEDIUM] Majordomo2 - SMTP/HTTP Directory Traversal
Majordomo2 - SMTP/HTTP Directory Traversal
A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
Template:
id: CVE-2011-0049
info:
name: Majordomo2 - SMTP/HTTP Directory Traversal
author: pikpikcu
severity: medium
description: A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
impact: |
This
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
Possible to bypass fix for CVE-2011-0049 (majordomo2 directory traversal in 'help' command)
bugzilla·2011-02-03·CVSS 5.0
CVE-2011-0049 [MEDIUM] Possible to bypass fix for CVE-2011-0049 (majordomo2 directory traversal in 'help' command)
Possible to bypass fix for CVE-2011-0049 (majordomo2 directory traversal in 'help' command)
Nikolas Sotiriu reported the following issue to security@ concerning a way to bypass the majordomo2 fix in bug 628064:
So the bug is that the majordomo2 path for the bug (628064) is absolut
terrible and not working.
See attachment 506481.
Check the regex ($file =~ s!/?\.\./?!!g;) do you see it :)
It deletes ../ but what happens if i ./.../ ?
./.../ becomes ../
http://bugzilla.org/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=./..././..././..././..././..././..././..././.../etc/passwd
Maybe a regex like this is better:
$file =~ s/\.\.//g;
Discussion:
"absolut terrible and not working". Wow. I'm in here helping folks fix code I haven't worked on in years, and honestly think I de
http://osvdb.org/70762http://secunia.com/advisories/43125http://securityreason.com/securityalert/8061http://www.exploit-db.com/exploits/16103http://www.kb.cert.org/vuls/id/363726http://www.securityfocus.com/archive/1/516150/100/0/threadedhttp://www.securityfocus.com/bid/46127http://www.securitytracker.com/id?1025024http://www.vupen.com/english/advisories/2011/0288https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481https://bugzilla.mozilla.org/show_bug.cgi?id=628064https://exchange.xforce.ibmcloud.com/vulnerabilities/65113https://sitewat.ch/en/Advisory/View/1http://osvdb.org/70762http://secunia.com/advisories/43125http://securityreason.com/securityalert/8061http://www.exploit-db.com/exploits/16103http://www.kb.cert.org/vuls/id/363726http://www.securityfocus.com/archive/1/516150/100/0/threadedhttp://www.securityfocus.com/bid/46127http://www.securitytracker.com/id?1025024http://www.vupen.com/english/advisories/2011/0288https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481https://bugzilla.mozilla.org/show_bug.cgi?id=628064https://exchange.xforce.ibmcloud.com/vulnerabilities/65113https://sitewat.ch/en/Advisory/View/1
2011-02-04
Published