[Mailman-Developers] Cookie security hole in admin interface
Harald Meland
Harald.Meland@usit.uio.no
11 Jun 1999 20:40:11 +0200
[John Morton]
> John Morton writes:
> > I was looking at the code for the admin cgi in search of a good cookie
> > authentication system, and found out that it was doing this,
Thanks for letting us know -- this certainly gave me some incentive to
have a look at what those pesky cookies really are all about. I guess
Barry'll have to whip up a new release (1.0rc2?) shortly...
> > Any better suggestions?
>
> A quick glance at the WWW security FAQ suggests a good solution:
>
> http://www.w3.org/Security/Faq/wwwsf7.html#Q66
As the extra complexity added by having to save session state on the
server side (i.e. have Mailman keep track of session IDs) is rather
large, and as Mailman isn't safe from package sniffing anyway (unless
you're running things on a SSL server, in which case cookie sniffing
shouldn't be of any trouble anyway), I settled for slightly less.
I have just commited a fix to CVS, based on these two new
SecurityManager functions:
def MakeCookie(self):
client_ip = os.environ.get('REMOTE_ADDR') or '0.0.0.0'
issued = int(time.time())
expires = issued + mm_cfg.ADMIN_COOKIE_LIFE
secret = self.password
mac = hash(secret + client_ip + `issued` + `expires`)
return [client_ip, issued, expires, mac]
def CheckCookie(self, cookie):
if type(cookie) <> type([]):
return 0
if len(cookie) <> 4:
return 0
client_ip = os.environ.get('REMOTE_ADDR') or '0.0.0.0'
[for_ip, issued, expires, received_mac] = cookie
if for_ip <> client_ip:
return 0
now = time.time()
if not issued < now < expires:
return 0
secret = self.password
mac = hash(secret + client_ip + `issued` + `expires`)
if mac <> received_mac:
return 0
return 1
Hopefully, this new cookie scheme will suffice -- if anyone do see
flaws in it, don't hesitate to get in touch.
--
Harald