Re: [Mailman-Users] Disabling mailman/create Web Page
I wrote on Sep 4:
Our cyber security group sent me notice of a vulnerability in a Mailman web page:
Web Application Potentially Sensitive CGI Parameter DetectionI think it is the URL:
mailman/create
and Mark Sapiro replied:
If there really is a Mailman security issue, please post the details to mailman-security@python.org.
and "George A. Theall" <theall@tifaware.com> replied:
This almost certainly is from a Nessus scan - see:
http://www.nessus.org/plugins/index.php?view=single&id=40773
This particular "plugin" isn't reporting a vulnerability per se (ie, its risk factor is "None"). Instead, it notes that the name of one or more parameters suggests it might be sensitive in some fashion.
Disclaimer: I work for Tenable Network Security as Director of Vulnerability Research, which, among other things, is responsible for writing the plugins for Nessus.
I was able to block access to the
mailman/createpage on my Mailman test virtual machine, but the same code did not work on the production Mailman machine. I have asked my Apache expert to look at why.
On the test machine I was successful, but a Nessus scan on that machine still reports
Web Application Potentially Sensitive CGI Parameter DetectionWhat other Mailman web page(s) would cause this? Thanks.
Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: BSFinkel@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994
Barry Finkel wrote:
I was able to block access to the
mailman/createpage on my Mailman test virtual machine, but the same code did not work on the production Mailman machine. I have asked my Apache expert to look at why.
On the test machine I was successful, but a Nessus scan on that machine still reports
Web Application Potentially Sensitive CGI Parameter DetectionWhat other Mailman web page(s) would cause this? Thanks.
If I correctly understand George Theall's explanation, any page that post's CGI fields with names that look like they might be passwords. This includes any of the admindb, admin, private and options login pages.
I don't know enough about how Nessus works to know if it can scan pages that can only be reached after login, but if so, probably also the admin Passwords page and the options page itself.
Again, If I correctly understand what Nessus is doing, there would seem to be only two ways to do this avoid these reports. Disable all web access to Mailman or allow only https access to Mailman. For the latter, see the FAQ at <http://wiki.list.org/x/7oA9>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
b19141@anl.gov -
Mark Sapiro