privacy problems with web interface
Hello:
We're running a 16K member mailing list on version 1.1 and running into a significant privacy issue regarding membership management.
As distributed, Mailman makes it trivial to discover if a given address is in fact a subscriber. If you suspect dev@null.com has joined a list, go to the user page and enter his address to subscribe; you'll get back a revealing reply 'You already belong, dummy'..
We initially yanked large chunks of html from the general list information page, but that removes all web-based user options.
Our ideal outcome is a General List Info Page with two actions:
No password section:
Current users get passwords (if any) mailed; with the web page
not saying if any address is subscribed or not. If not a
subscriber, Mailman would send a "subscription confirmation"
notice to the potential member. (This also alerts the 'victim'
of potential abuse.)
Password presented sections:
Users w/ password see no feedback until after entering a valid ID
and pw; i.e. both non-existent users and existing ones w/bad pw's
are both met with "Sorry, wrong password" as in a *nix login.
We looked at modifying the html on the user pages but the python module "handle_opts" seems hard-coded into giving revealing responses. We also glanced at Mailman 2.0.6 but it seemed to offer the same behavior.
Has anyone else already looked into this issue, and proposed code to solve it? We are considering writing a patch for "handle_opts" and and submitting it but 1) don't want to fork the code, and 2) don't want to duplicate/waste the effort.
thanks, David and Federico
"FG" == Federico Grau <donfede@casagrau.org> writes:
FG> As distributed, Mailman makes it trivial to discover
FG> if a given address is in fact a subscriber. If you suspect
FG> dev@null.com has joined a list, go to the user page and
FG> enter his address to subscribe; you'll get back a revealing
FG> reply 'You already belong, dummy'..
What we can do for MM2.1 is, if the subscriber list is not public, i.e. private_roster is not "Anyone", then if they attempt to subscribe an already subscribed address, we can show them a results page that looks no different whether they actually are subscribed or not.
Then if they are subscribed, we'll send the user a message saying somebody tried to subscribe their address (should we email the admin too?). If they aren't subscribed, then we'll do the normal routine.
(I need to make sure the web message you'd see is identical regardless of whether you're subscribed or not. That's a little tricky, but doable.)
FG> We looked at modifying the html on the user pages but the
FG> python module "handle_opts" seems hard-coded into giving
FG> revealing responses. We also glanced at Mailman 2.0.6 but it
FG> seemed to offer the same behavior.
FG> Has anyone else already looked into this issue, and proposed
FG> code to solve it? We are considering writing a patch for
FG> "handle_opts" and and submitting it but 1) don't want to fork
FG> the code, and 2) don't want to duplicate/waste the effort.
In MM2.1, this is done by the options.py cgi script. Here we need to do something similar, but again, it's a little tricky.
If the user is subscribed, and a url containing their email address is given, then they are presented with a page prompting only for their password. If the email address is incorrect, or missing in the url, then they are prompted for both their address and password.
This needs to change such that if private_roster is not "Anyone", then the same sets of prompts will be given regardless of whether the address is a member or not. That leads me to think that if private_roster <> "Anyone" then if any email address is given, we'll only prompt for the password. Obviously, there'll be no matching password, so the error condition in both cases will be to return them to the options prompt page, asking for both email address and password.
This should avoid leaking any membership information. I'll work on getting that into MM2.1. Watch CVS.
-Barry
On Thu, Oct 11, 2001 at 06:54:04PM -0400, Barry A. Warsaw wrote:
What we can do for MM2.1 is, if the subscriber list is not public, i.e. private_roster is not "Anyone", then if they attempt to subscribe an already subscribed address, we can show them a results page that looks no different whether they actually are subscribed or not.
Then if they are subscribed, we'll send the user a message saying somebody tried to subscribe their address (should we email the admin too?). If they aren't subscribed, then we'll do the normal routine.
I wouldn't bother the admin. It would be nice if the emails that mailman sends contained something like the Web client's IP address in the headers or message (maybe that already happens; I do not recall) in case some subscriber wants/needs to follow up on a request.
(I need to make sure the web message you'd see is identical regardless of whether you're subscribed or not. That's a little tricky, but doable.)
Sounds great.
In MM2.1
If the user is subscribed, and a url containing their email address is given, then they are presented with a page prompting only for their password. If the email address is incorrect, or missing in the url, then they are prompted for both their address and password.
This needs to change such that if private_roster is not "Anyone", then the same sets of prompts will be given regardless of whether the address is a member or not.
This should avoid leaking any membership information. I'll work on getting that into MM2.1. Watch CVS.
Barry, this all sounds great. We'll be setting up a test machine this weekend just for testing out MM CVS code so we can track this and do what we can to help out (and also to work with Postfix and VERP). These changes will be much appreciated!
-Peter
participants (3)
-
barry@zope.com
-
Federico Grau
-
Peter W