CVE-2011-0063
published 2011-03-15CVE-2011-0063: The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read…
PriorityP353medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
85.45%
99.7th percentile
The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the "extra" parameter to the help command, which causes the regular expression to produce .. (dot dot) sequences. NOTE: this vulnerability is due to an incomplete fix for CVE-2011-0049.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mj2 | majordomo_2 | <= 20110203 | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
| mj2 | majordomo_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://bugzilla.org/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=./..././..././..././..././..././..././..././.../etc/passwd↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Majordomo2 - 'SMTP/HTTP' Directory Traversal
exploitdb·2011-02-03·CVSS 5.0
CVE-2011-0063 [MEDIUM] Majordomo2 - 'SMTP/HTTP' Directory Traversal
Majordomo2 - 'SMTP/HTTP' Directory Traversal
---
Original Advisory: https://sitewat.ch/en/Advisory/View/1
Credit: Michael Brooks (https://sitewat.ch)
Vulnerability: Directory Traversal
Software: Majordomo2
Identifier:CVE-2011-0049
Vendor: http://www.mj2.org/
Affected Build: 20110121 and prior
Google dork:inurl:mj_wwwusr
Special thanks to Dave Miller, Reed Loden and the rest of the Mozilla
security team for handling the issue.
This vulnerability is exploitable via ALL of Majordomo2's interfaces.
*Including
e-mail*. Send an email to majordomo's mail interface (for example:
[email protected]) with the body of the message as follows:
help ../../../../../../../../../../../../../etc/passwd
I'll give you one guess as to the contents of the response email ;).
PoC for HTTP:
http://localh
Metasploit
Majordomo2 _list_file_get() Directory Traversal
metasploit
Majordomo2 _list_file_get() Directory Traversal
Majordomo2 _list_file_get() Directory Traversal
This module exploits a directory traversal vulnerability present in the _list_file_get() function of Majordomo2 (help function). By default, this module will attempt to download the Majordomo config.pl file.
Nuclei
Majordomo2 - SMTP/HTTP Directory Traversal
nuclei·CVSS 5.0
CVE-2011-0049 [MEDIUM] Majordomo2 - SMTP/HTTP Directory Traversal
Majordomo2 - SMTP/HTTP Directory Traversal
A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
Template:
id: CVE-2011-0049
info:
name: Majordomo2 - SMTP/HTTP Directory Traversal
author: pikpikcu
severity: medium
description: A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
impact: |
This
http://secunia.com/advisories/43631http://securityreason.com/securityalert/8133http://sotiriu.de/adv/NSOADV-2011-003.txthttp://www.securityfocus.com/archive/1/516923/100/0/threadedhttps://bugzilla.mozilla.org/show_bug.cgi?id=631307https://exchange.xforce.ibmcloud.com/vulnerabilities/66011http://secunia.com/advisories/43631http://securityreason.com/securityalert/8133http://sotiriu.de/adv/NSOADV-2011-003.txthttp://www.securityfocus.com/archive/1/516923/100/0/threadedhttps://bugzilla.mozilla.org/show_bug.cgi?id=631307https://exchange.xforce.ibmcloud.com/vulnerabilities/66011
2011-03-15
Published