[Bug 1695667] [NEW] Various web attacks cause CGI modules to throw uncaught exceptions

Mark Sapiro mark at msapiro.net
Sat Jun 3 16:49:25 EDT 2017

Public bug reported:

This is merely an annoyance in that it adds error reports to Mailman's
error log. The web response is just the "we hit a bug" page, but we may
wish to defend against these. We have seen errors like

Jun 02 15:47:45 2017 admin(31978): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
admin(31978): [----- Mailman Version: 2.1.23 -----] 
admin(31978): [----- Traceback ------] 
admin(31978): Traceback (most recent call last):
admin(31978):   File "/srv/mailman/scripts/driver", line 117, in run_main
admin(31978):     main()
admin(31978):   File "/srv/mailman/Mailman/Cgi/subscribe.py", line 109, in main
admin(31978):     process_form(mlist, doc, cgidata, language)
admin(31978):   File "/srv/mailman/Mailman/Cgi/subscribe.py", line 147, in process_form
admin(31978):     ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':')
admin(31978): AttributeError: 'list' object has no attribute 'split'

Jun 02 15:48:05 2017 admin(32270): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
admin(32270): [----- Mailman Version: 2.1.23 -----] 
admin(32270): [----- Traceback ------] 
admin(32270): Traceback (most recent call last):
admin(32270):   File "/srv/mailman/scripts/driver", line 117, in run_main
admin(32270):     main()
admin(32270):   File "/srv/mailman/Mailman/Cgi/listinfo.py", line 74, in main
admin(32270):     if not Utils.IsLanguage(language):
admin(32270):   File "/srv/mailman/Mailman/Utils.py", line 751, in IsLanguage
admin(32270):     return mm_cfg.LC_DESCRIPTIONS.has_key(lang)
admin(32270): TypeError: unhashable type: 'list'

Jun 02 17:24:06 2017 admin(6887): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
admin(6887): [----- Mailman Version: 2.1.23 -----] 
admin(6887): [----- Traceback ------] 
admin(6887): Traceback (most recent call last):
admin(6887):   File "/srv/mailman/scripts/driver", line 117, in run_main
admin(6887):     main()
admin(6887):   File "/srv/mailman/Mailman/Cgi/admin.py", line 118, in main
admin(6887):     cgidata.getvalue('adminpw', '')):
admin(6887):   File "/srv/mailman/Mailman/SecurityManager.py", line 238, in WebAuthenticate
admin(6887):     ac = self.Authenticate(authcontexts, response, user)
admin(6887):   File "/srv/mailman/Mailman/SecurityManager.py", line 180, in Authenticate
admin(6887):     sharesponse = sha_new(response).hexdigest()
admin(6887): TypeError: must be string or buffer, not list

The above all result from POST data or query fragments containing multiple values for the same parameter resultin in that parameter being passed to the CGI as a list rather than a string.

We have also seen

Jun 02 17:08:00 2017 admin(27163): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
admin(27163): [----- Mailman Version: 2.1.23 -----] 
admin(27163): [----- Traceback ------] 
admin(27163): Traceback (most recent call last):
admin(27163):   File "/srv/mailman/scripts/driver", line 117, in run_main
admin(27163):     main()
admin(27163):   File "/srv/mailman/Mailman/Cgi/options.py", line 113, in main
admin(27163):     params = cgidata.keys()
admin(27163):   File "/usr/lib/python2.7/cgi.py", line 582, in keys
admin(27163):     raise TypeError, "not indexable"
admin(27163): TypeError: not indexable

which comes from a POST with no post data.

** Affects: mailman
     Importance: Low
     Assignee: Mark Sapiro (msapiro)
         Status: In Progress

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Various web attacks cause CGI modules to throw uncaught exceptions

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list