Product:

Mailman - Webmailsystem (http://www.endymion.com)

Problem Description:

due to missing input-validation it is possible to read files with the 
webservers (or mailmans) permissions
a similar (pretty much the same) bug was discovered 2 years ago from 
"secureality" 
(http://www.securereality.com.au/)/(http://online.securityfocus.com/archive/1/149214).


Example:

a HTTP-request to:
http://hostname/cgi-bin/mmstdo*.cgi
with the following parameters:
USERNAME=
PASSWORD=
ALTERNATE_TEMPLATES= [relative FILE/PATH] [Nullbyte/0x00]

.... will lead to disclosure of [FILE/PATH]




Summary:

object: mmstdo*.cgi (Perl Script)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1) 
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1) http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm

remote: yes
local: ---
severity: medium

vendor: hast been informed [got a ticket# from some automated reply .. but 
nothing else]
patch/fix: ???
recomannded fix: sanitize meta-characters from user-input




security@freefly.com
rudicarell@hotmail.com
http://www.websec.org

check out the Open Web Application Security project
http://www.owasp.org