cbcvebase.
CVE-2011-0049
published 2011-02-04

CVE-2011-0049: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary…

PriorityP359medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
95.39%
99.9th percentile
Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
mj2majordomo_2<= 20110203
mj2majordomo_2<= 20110130
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2
mj2majordomo_2

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd
url/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=./..././..././..././..././..././..././..././.../etc/passwd
path/cgi-bin/mj_wwwusr
pathlib/Majordomo.pm
otherGoogle dork: inurl:mj_wwwusr
  • Detect HTTP GET requests to /cgi-bin/mj_wwwusr with 'func=help' and 'extra=' parameter containing directory traversal sequences (e.g., '../', './.../').
  • Detect the bypass traversal sequence './.../' in HTTP requests, which collapses to '../' after the flawed regex substitution ($file =~ s!/?\.\./? !!g).
  • Monitor inbound emails to the Majordomo mail interface with body content starting with 'help' followed by path traversal sequences (e.g., 'help ../../../../../../../../../../../../../etc/passwd'), as the vulnerability is exploitable via SMTP as well as HTTP.
  • The Metasploit module targets this vulnerability and by default attempts to retrieve the Majordomo config.pl file; monitor for requests to mj_wwwusr fetching config.pl via traversal.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.