Hi Developers! I've a question:
Why in all lists sites that I look, the "Admin Links" is open? Worst: Why (inside the Admin Links) the link "create a new mailing list" is open? Anyone in anywhere can to try until discover the Admin password??
My doubt is: Why those links are open to world? I think that it's very insecure, or not?!?
Thanks folks!!!
--
Edilson Azevedo Mail / Gtalk: eazevedo@bsd.com.br
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 8:04 AM, Edilson Azevedo wrote:
Hi Developers! I've a question:
Why in all lists sites that I look, the "Admin Links" is open?
Worst: Why (inside the Admin Links) the link "create a new mailing list" is open? Anyone in anywhere can to try until discover the Admin password??My doubt is: Why those links are open to world? I think that it's very insecure, or not?!?
Really? Those links should always be behind a login screen.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliEN8ACgkQ2YZpQepbvXEk3gCfZEX4GJ5blkATZDZHxlbMnQlw p+gAnjSD4Gmrh+By/YGYl3QgBwiSRa1K =fJV0 -----END PGP SIGNATURE-----
Hi Barry and Thank to answer!
You said "should". But in 95% of the lists that I look, those links are always open. An random example: The official MailMan mailing list. Follow my steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
3 - You can try to create a new list until discover the corret password (if you don't know). But, if you dont know the password, you can try to use a bruteforce. They are very easy to find and very, very, very easy to use. Sometimes they work very well.. hehehe.
Again: Anyone in anywhere can try to create a new list. It's correct??!!
Thanks Barry!!!
P.S.: Try those same steps in othes Mailing Lists Sites. Always work!
On Mon, Jan 5, 2009 at 11:53 AM, Barry Warsaw <barry@list.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 8:04 AM, Edilson Azevedo wrote:
Hi Developers! I've a question:
Why in all lists sites that I look, the "Admin Links" is open? Worst: Why (inside the Admin Links) the link "create a new mailing list" is open? Anyone in anywhere can to try until discover the Admin password??
My doubt is: Why those links are open to world? I think that it's very insecure, or not?!?
Really? Those links should always be behind a login screen.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliEN8ACgkQ2YZpQepbvXEk3gCfZEX4GJ5blkATZDZHxlbMnQlw p+gAnjSD4Gmrh+By/YGYl3QgBwiSRa1K =fJV0 -----END PGP SIGNATURE-----
-- Atenciosamente,
Edilson Azevedo (19) 3787-3312 (12) 8156-5590 Mail / Gtalk: eazevedo@bsd.com.br
On Mon, 5 Jan 2009, Edilson Azevedo wrote:
Hi Barry and Thank to answer!
You said "should". But in 95% of the lists that I look, those links are always open. An random example: The official MailMan mailing list. Follow my steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
3 - You can try to create a new list until discover the corret password (if you don't know). But, if you dont know the password, you can try to use a bruteforce. They are very easy to find and very, very, very easy to use. Sometimes they work very well.. hehehe.
Again: Anyone in anywhere can try to create a new list. It's correct??!!
Thanks Barry!!!
P.S.: Try those same steps in othes Mailing Lists Sites. Always work!
Allow me to chime in and ask how this would be different if the form were behind a login screen? Or any form at all? You can "brute force" any screen in mailman and afaik there's no timeout or backoff interval.
I see this as a non-issue, personally, but I do think it looks bad, and think that screen should in a perfect world only be shown ONLY if there is a "list creator" password with no other privileges (but then, if that was the behavior, it would leak that fact).
Just my 0.02.
-Dan
On Mon, Jan 05, 2009 at 09:34:47AM -0500, Dan Mahoney, System Admin wrote:
I see this as a non-issue, personally, but I do think it looks bad, and
Likewise.
think that screen should in a perfect world only be shown ONLY if there is a "list creator" password with no other privileges (but then, if that was the behavior, it would leak that fact).
If anyone were that'd bothered, they'd presumably use the authentication/protection methods of their webserver on /create : or, indeed, not bother maaking the Alias (or equiv) at all.
-- An Englishman thinks that 100 miles is a long way; an American thinks that 100 years is a long time.
Edilson Azevedo wrote:
You said "should". But in 95% of the lists that I look, those links are always open.
I think Barry misunderstood which links you are talking about.
The links on the list admin overview page to lists really reveal nothing but the names of public lists on the server. These are already available on the listinfo overview page and anyone who knows even a little bit about Mailman can easily construct admin or admindb links from the listinfo links. If you are concerned about revealing this, make all your lists advertised = No.
An random example: The official MailMan mailing list. Follow my steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure out the URL to the create CGI.
The answer is to use strong passwords, and if you are really concerned, don't advertise any lists and remove Mailman's cgi-bin/create wrapper so lists can't be created from the web, or alternatively just don't set site admin or list creator passwords or remove data/adm.pw and data/creator.pw to remove those set previously.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
I think Barry misunderstood which links you are talking about.
Yep. Thanks, I just re-read the OP (in post-coffee mode :), so now I
get it.
The links on the list admin overview page to lists really reveal nothing but the names of public lists on the server. These are already available on the listinfo overview page and anyone who knows even a little bit about Mailman can easily construct admin or admindb links from the listinfo links. If you are concerned about revealing this, make all your lists advertised = No.
An random example: The official MailMan mailing list. Follow my steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure
out the URL to the create CGI.The answer is to use strong passwords, and if you are really
concerned, don't advertise any lists and remove Mailman's cgi-bin/create wrapper so lists can't be created from the web, or alternatively just don't set site admin or list creator passwords or remove data/adm.pw and data/creator.pw to remove those set previously.
Mark's suggestions are spot on.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP 5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT =A81I -----END PGP SIGNATURE-----
Ok... thanks to all!!!
But, I've a last doubt: Which the advantage in keep the creation of lists open for the world? what would be the real advantage? I need to understand before block the access.
THANKS!!!!!
On Mon, Jan 5, 2009 at 2:50 PM, Barry Warsaw <barry@list.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
I think Barry misunderstood which links you are talking about.
Yep. Thanks, I just re-read the OP (in post-coffee mode :), so now I get it.
The links on the list admin overview page to lists really reveal
nothing but the names of public lists on the server. These are already available on the listinfo overview page and anyone who knows even a little bit about Mailman can easily construct admin or admindb links from the listinfo links. If you are concerned about revealing this, make all your lists advertised = No.
An random example: The official MailMan mailing list. Follow my
steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure out the URL to the create CGI.
The answer is to use strong passwords, and if you are really concerned, don't advertise any lists and remove Mailman's cgi-bin/create wrapper so lists can't be created from the web, or alternatively just don't set site admin or list creator passwords or remove data/adm.pw and data/creator.pw to remove those set previously.
Mark's suggestions are spot on.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP 5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT =A81I -----END PGP SIGNATURE-----
-- Atenciosamente,
Edilson Azevedo (19) 3787-3312 (12) 8156-5590 Mail / Gtalk: eazevedo@bsd.com.br
Edilson Azevedo wrote:
But, I've a last doubt: Which the advantage in keep the creation of lists open for the world? what would be the real advantage? I need to understand before block the access.
You may have people within your organization or trusted customers or whatever, depending on your circumstances, who you want to be able to create lists even though they don't have the ability to run bin/newlist on the Mailman server.
In this case, you would use bin/mmsitepass -c to set a list creator password which you would share with these people so they could create lists via the web.
Or, (this is a stretch) you might find yourself in a situation where you need to create a list, but in that particular situation, you have web access to the server but not shell access, and you could create a list via the web with the Mailman site password.
If none of this applies to you, you don't need web create ability.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark> The answer is to use strong passwords, and if you are really
Mark> concerned, don't advertise any lists and remove Mailman's
Mark> cgi-bin/create wrapper so lists can't be created from the web, or
Mark> alternatively just don't set site admin or list creator passwords
Mark> or remove data/adm.pw and data/creator.pw to remove those set
Mark> previously.I suspect the default should be to not expose those things. I wasn't even aware that list creation through the web was possible. Based on the extremely novice questions I see posted to mailman-users on occasion I suspect many potential Mailman admins are unaware of this as well. I fear those admins are also the ones most likely to not create strong passwords.
Maybe all that's necessary is to install cgi-bin/create as cgi-bin/create.disabled by default, set its permissions to not allow execution and add a note to the installation docs about the consequences of through-the-web list creation and how to set it up.
Skip
On Mon, Jan 05, 2009 at 12:12:31PM -0600, skip@pobox.com wrote:
Maybe all that's necessary is to install cgi-bin/create as cgi-bin/create.disabled by default, set its permissions to not allow execution and add a note to the installation docs about the consequences of through-the-web list creation and how to set it up.
Or perhaps those responsible for the set-up look at what's being set-up, and take responsibility/make the choice themselves?
From memory, and on Debian/FBSD systems at least, setting up Mailman still requires intervention to sort out the web-interface/MTA integration -- even when packaged -- : that's good enough, imo.
-- ``You can't be a real country unless you have a beer and an airline. It helps if you have some kind of a football team, or some nuclear weapons, but at the very least you need a beer.'' (Frank Zappa)
>> Maybe all that's necessary is to install cgi-bin/create as
>> cgi-bin/create.disabled by default, set its permissions to not allow
>> execution and add a note to the installation docs about the
>> consequences of through-the-web list creation and how to set it up.
Adam> Or perhaps those responsible for the set-up look at what's being
Adam> set-up, and take responsibility/make the choice themselves?People don't work that way. I was a Unix admin back in the day when virtually anybody could login to prep.ai.mit.edu. Wide open systems were probably wrong then and they are certainly wrong now. It's simply foolish to distribute software which by default has doors which are either open or easily opened.
Adam> From memory, and on Debian/FBSD systems at least, setting up
Adam> Mailman still requires intervention to sort out the
Adam> web-interface/MTA integration -- even when packaged -- : that's
Adam> good enough, imo.That's only one type of system. It hardly represents the entire universe of possible platforms. Last time I looked Debian+FreeBSD didn't represent the bulk of the servers on the Internet. For better or worse I suspect that distinction probably goes to Windows.
At work, for example, we run it on Solaris. I'm pretty sure it wasn't installed from some turnkey package. I'm similarly sure whoever installed it wasn't a sophisticated Mailman user and wasn't aware of the cgi-bin/create script. Does Mailman run on Windows? If so, you're going to have problems. If not, then you are going to have people unfamiliar with Unix systems (that is, people who only know Windows) installing it. Damned if you do. Damned if you don't.
-- Skip Montanaro - skip@pobox.com - http://smontanaro.dyndns.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 1:12 PM, skip@pobox.com wrote:
I suspect the default should be to not expose those things. I
wasn't even aware that list creation through the web was possible. Based on the extremely novice questions I see posted to mailman-users on occasion I suspect many potential Mailman admins are unaware of this as well.
I fear those admins are also the ones most likely to not create strong
passwords.
Note that by default, it's not possible to create mailing lists
through the web even though the link exists. You have to create a
site password or 'list creators' password to enable this feature. A
site admin should know enough to set these passwords to something
strong and difficult to brute force.
Still, the suggestions for disabling this CGI is easy enough, and if
you have shell access to create those passwords, you have shell access
to disable the CGI.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliWYwACgkQ2YZpQepbvXFM9wCaAifGNrsBzdL0Mf5RDmrf6jAj BekAn0LvBA684d7AsE86eiEHjdyghLZX =D1FM -----END PGP SIGNATURE-----
On 2009-Jan-5, at 2:03 PM, Barry Warsaw wrote:
I suspect the default should be to not expose those things. I
wasn't even aware that list creation through the web was possible. Based on the extremely novice questions I see posted to mailman-users on
occasion I suspect many potential Mailman admins are unaware of this as well.
I fear those admins are also the ones most likely to not create strong
passwords. Note that by default, it's not possible to create mailing lists
through the web even though the link exists. You have to create a
site password or 'list creators' password to enable this feature. A
site admin should know enough to set these passwords to something
strong and difficult to brute force. Still, the suggestions for disabling this CGI is easy enough, and if
you have shell access to create those passwords, you have shell
access to disable the CGI.
This seems like it might be more of a failure in documentation/
understanding than a failure in security. All this information is
readily available (both about the fact that you can create from the
web by default, and the fact that this can be disabled) but obviously
people aren't finding it or don't even know to look for it.
I'll try to poke around and figure out where to put it when I get home
from work. I'm guessing we could use some pointers in the install
guides? Or perhaps I should work up a short intro to mailman security
for new users who don't know the likely attack points?
Terri
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 2:25 PM, Terri Oda wrote:
This seems like it might be more of a failure in documentation/ understanding than a failure in security. All this information is
readily available (both about the fact that you can create from the
web by default, and the fact that this can be disabled) but
obviously people aren't finding it or don't even know to look for it.I'll try to poke around and figure out where to put it when I get
home from work. I'm guessing we could use some pointers in the
install guides? Or perhaps I should work up a short intro to
mailman security for new users who don't know the likely attack
points?
I think a separate section on security concerns would be really helpful.
Thanks!
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliYRoACgkQ2YZpQepbvXFfqQCgpzjGrhBDEfvcdEH/BMnGgsLq UzsAnAnsOAqJUkIzcDBL0DRYS0qtLGgO =kAeJ -----END PGP SIGNATURE-----
Barry Warsaw wrote:
On Jan 5, 2009, at 1:12 PM, skip@pobox.com wrote:
I suspect the default should be to not expose those things. I
wasn't even aware that list creation through the web was possible. Based on the extremely novice questions I see posted to mailman-users on occasion I suspect many potential Mailman admins are unaware of this as well.
I fear those admins are also the ones most likely to not create strong
passwords.Note that by default, it's not possible to create mailing lists
through the web even though the link exists. You have to create a
site password or 'list creators' password to enable this feature. A
site admin should know enough to set these passwords to something
strong and difficult to brute force.Still, the suggestions for disabling this CGI is easy enough, and if
you have shell access to create those passwords, you have shell access
to disable the CGI.
As Barry points out, the door is neither open nor easily opened by default.
Also, in a default installation, alias generation is manual, and creating a list from the web is not sufficient to make it work.
Further, I think this whole list create issue is a red herring. If I were a black-hat looking to create a list on your server to use for my own nefarious purposes, I think I'd use my dictionary attack to try to access the admin interface of an existing list where the password is more likely to be weak. Once I have the admin password for an existing list, I can do anything with that list that I might have done with a new list, and incidentally do more damage to the installation (or at least that one list) in the process.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (7)
-
Adam McGreggor -
Barry Warsaw -
Dan Mahoney, System Admin -
Edilson Azevedo -
Mark Sapiro -
skip@pobox.com -
Terri Oda