I'm with Bob here - I did a scan of the httpd log on my mailman server
and I'm pretty sure we were not hit by either the spammers using the
~mailman/cgi-bin/roster vulnerability or the hackers via the
~mailman/cgi-bin/private vulnerability. I've now disabled both of these
scripts for the time being until I find a way to plug the holes.
Encrypting passwords will go a long way to fixing the risk in the
future, and forcing everyone to change their passwords is really a big
burden on them, especially if we're pretty sure they aren't
compromised.
Cheers,
Tobias
On Feb 10, 2005, at 1:29 PM, Bob Puff@NLE wrote:
I've -always- disabled the monthly reminders, so that would be no
great loss.If we convert to one-way passwords, could the upgrade script convert
the current passwords? It would be a -big- deal if everyone had to
reset their passwords.Bob
Barry Warsaw wrote:
I think CAN-2005-0202 gives us the opportunity to finally implement
what we have long considered an embarrassing exposure in Mailman's
config.pck databases. Member passwords are kept in this database in the clear.
The obvious fix is to hash member passwords and keep only the hash in the database. We haven't changed this before now for two reasons: the passwords were cleartext or hashed and do the password comparison
- We would have to regenerate all member passwords, which is an administrative burden. We might also need to implement checks to see
ifaccordingly. 2. This breaks all password reminders. To fully address CAN-2005-0202 we're recommending sites regenerate
their member passwords anyway, so this gives us an opening to fix this properly. And we have a better internal password generator now too. As for #2, well, I think most people hate those password reminders anyway, and we've decided that they are going away for MM3. I don't think many people would shed too many tears if we killed off monthly password reminders for 2.1.6. Doing that would also eliminate the requirement for the site list, since its primary purpose is to
function as the sender of the reminder messages. To do this for 2.1.6, we'd have to change the "Email My Password To
Me" feature in the options page and in the member login page. These would have to become a "create a new password for me" feature. Also, crontab.in should not call mailpasswds anymore, or that script should turn into a simple "here's the lists you are on" reminder, without the password information in it. This will require i18n updates too. The downside to doing this now is that it's more coding work for 2.1.6 and I'd like to get the new version out asap. Still, this seems like
an opportunity that we shouldn't lightly dismiss. What do you all think? Is anybody willing to take a crack at a patch for this? -Barry--
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/ bob%40nleaudio.com
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/ tobias%40kabissa.org
-- Tobias Eigen Executive Director
Kabissa - Space for Change in Africa http://www.kabissa.org
- Kabissa's vision is for a socially, economically, politically, and
environmentally vibrant Africa, supported by a strong network of
effective civil society organizations. *