Hello!
There are BIG security problems with mailman. For example a list administrator can subscribe an "email address" like this with mass subscribe:
touch /tmp/gotcha
Then when someone sends mail to the list, the command is executed... this means any list administrator can get access to user running mailman on the list server. I could not achieve the same when trying to subscribe as a normal user, but i cannot say that it is safe. This needs a very urgent fix.
Greg
Ps. thanks to Endre Hirling <endre@dawn.elte.hu> for pointing this problem out to me
-- Madarasz Gergely gorgo@caesar.elte.hu gorgo@linux.rulez.org It's practically impossible to look at a penguin and feel angry. Egy pingvinre gyakorlatilag lehetetlen haragosan nezni. HuLUG: http://www.cab.u-szeged.hu/local/linux/
Actually, that's a known issue. Security stuff is on our todo list, but not much thought has gone into it yet. I hadn't actually put too high a priority on it at this point, since you only need to trust list administrators. It was certainly expected to be done before beta. However, if you want it in sooner, we can move it up. Or, for an even quicker solution, you or someone else could submit patches to either b4, or b5, which will come out perhaps today or tomorrow, but if not, on Monday for sure. It depends on how much time I have to do testing...
John
On Thu, Jul 23, 1998 at 07:05:38PM +0200, Gergely Madarasz wrote:
Hello!
There are BIG security problems with mailman. For example a list administrator can subscribe an "email address" like this with mass subscribe:
touch /tmp/gotchaThen when someone sends mail to the list, the command is executed... this means any list administrator can get access to user running mailman on the list server. I could not achieve the same when trying to subscribe as a normal user, but i cannot say that it is safe. This needs a very urgent fix.
Greg
Ps. thanks to Endre Hirling <endre@dawn.elte.hu> for pointing this problem out to me
-- Madarasz Gergely gorgo@caesar.elte.hu gorgo@linux.rulez.org It's practically impossible to look at a penguin and feel angry. Egy pingvinre gyakorlatilag lehetetlen haragosan nezni. HuLUG: http://www.cab.u-szeged.hu/local/linux/
Mailman-Developers maillist - Mailman-Developers@python.org http://www.python.org/mailman/listinfo/mailman-developers
On Thu, 23 Jul 1998, John Viega wrote:
Actually, that's a known issue. Security stuff is on our todo list, but not much thought has gone into it yet. I hadn't actually put too high a priority on it at this point, since you only need to trust list administrators. It was certainly expected to be done before beta. However, if you want it in sooner, we can move it up. Or, for an even quicker solution, you or someone else could submit patches to either b4, or b5, which will come out perhaps today or tomorrow, but if not, on Monday for sure. It depends on how much time I have to do testing...
As i mentioned in my prior message, this has been addressed in the working copy, so we're no longer interested in other patches for it. (We will be interested in exercise of the fixes, of course, once they're released...)
Ken klm@python.org
participants (3)
-
Gergely Madarasz -
John Viega -
Ken Manheimer