Barry I am not convinced that all the potential security problems with private.py are covered by the patch being published. For some time I have added modifications to private.py as part of my htdig integration patch which maybe should be considered for addition to the standard MM distribution. I give below the patch to private.py for MM release 2.1.4 (although the same fix applies to later releases) and some notes on the matter in the INSTALL.htdig-mm file added by my patch. Of course, these changes may be judged irrelevant by Mailman's developers. As an aside, I am not able to: 1. identify exactly what the exploit is. 2. see why it impacts solely on private archive access via private.py. 3. why Apache version is relevant to private.py operates unless the PATH_INFO environment variable value being set up for the CGI script by Apache is a result of version-dependent processing done by Apache on the request URI. Richard $build/INSTALL.htdig-mm ------------------------------------------------------------------------ - <snip> $prefix/Mailman/Cgi/private.py There is a security hole in the released Mailman code via which private.py will serve files such as a list's archive pipermail.pck and files in the list's archive database sub-directory. This hole also allows access to the list's archive htdig sub-directory. Fixes for this are applied. As htdig.py (see below) is based on private.py the same security fix has been incorporated into it. <snip> Notes and Warnings ---------------- Archive security problems resolved by htdig-2.1.3-0.2 patch This patch is hopefully the final step in closing security holes in archive access. In version htdig-2.1.3-0.1.patch, htdig.py was rebased on the standard MM release's private.py which had moved on since the snapshot of it used as the basis for htdig.py was originally taken. Among other things, htdig.py had been modified to prevent access to some files in list archive directories such as a list's archive pipermail.pck and files in the list's archive database sub-directory. This rebasing action re-introduced to htdig.py the security holes, still extant in private.py despite it being later code, via which private.py would serve files such as a list's archive pipermail.pck and files in the list's archive database sub-directory. The permissions on these files and directories mean that they are inaccessible via the web server using /pipermail/ URIs if a list's archive is public. <snip> ------------------------------------------------------------------------ - ------------------------------------------------------------------------ - diff -r -u -P --exclude=.DS_Store mailman-2.1.4-index/Mailman/Cgi/private.py mailman-2.1.4-htdig/Mailman/Cgi/private.py --- mailman-2.1.4-index/Mailman/Cgi/private.py Sat Feb 8 07:13:50 2003 +++ mailman-2.1.4-htdig/Mailman/Cgi/private.py Thu Jan 1 12:43:24 2004 @@ -21,6 +21,7 @@ import sys import cgi import mimetypes +import re from Mailman import mm_cfg from Mailman import Utils @@ -71,7 +72,7 @@ listname = parts[0].lower() mboxfile = '' - if len(parts) > 1: + if len(parts) == 2: mboxfile = parts[1] # See if it's the list's mbox file is being requested @@ -100,6 +101,26 @@ doc.AddItem(Header(2, msg)) print doc.Format() syslog('error', 'No such list "%s": %s\n', listname, e) + return + + # If the path is not: + # <list name>.mbox/<list name>.mbox + # it should conform to: + # <list name>/<archive name (but not htdig or database)>/... + # <list name>/<file_name which must end in .txt, .txt.gz or .html> + # and any filenames starting with '.' are also not allowed + num_parts = len(parts) + if not mboxfile and num_parts > 1 and \ + (parts[1] in ('database', 'htdig') or \ + (num_parts == 2 and \ + not re.compile(r'\.(html|txt|txt\.gz)$').search(true_filename) \ + ) or parts[-1][0] == '.' \ + ): + msg = _('Invalid archive file requested') + doc.SetTitle(msg) + doc.AddItem(Header(2, msg)) + print doc.Format() + syslog('error', 'Invalid archive file requested: %s', true_filename) return i18n.set_language(mlist.preferred_language) ------------------------------------------------------------------------ - On 10 Feb 2005, at 14:41, Barry Warsaw wrote:
There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions which can allow remote attackers to gain access to member passwords under certain conditions. The extent of the vulnerability depends on what version of Apache you are running, and (possibly) how you have configured your web server. However, the flaw is in Mailman and has been fix in CVS and will be included in the Mailman 2.1.6 release.
This issue has been assigned CVE number CAN-2005-0202.
We currently believe that Apache 2.0 sites are not vulnerable, and that many if not most Apache 1.3 sites are. In any event, the safest approach is to assume the worst and take the remediation steps indicated below as soon as possible.
The quickest fix is to remove the /usr/local/mailman/cgi-bin/private executable. This will disable all access to all private archives on your system. While this is the quickest and easiest way to close the hole, it will also break all your private archives. If all the lists on your site only run public archives, this won't matter to you.
Until Mailman 2.1.6 is released, the longer term fix is to apply this patch:
http://www.list.org/CAN-2005-0202.txt
For additional piece of mind, it is recommended that you regenerate your member passwords. Instructions on how to do this, and more information about this vulnerability are available here:
http://www.list.org/security.html
My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. This issue was found by Marcus Meissner.
-Barry
Richard Barrett http://www.openinfo.co.uk