[Mailman-Developers] Re: [Mailman-Announce] Critical security
update for Mailman 2.1.5 and earlier
Richard Barrett
r.barrett at openinfo.co.uk
Thu Feb 10 18:24:08 CET 2005
Barry
I am not convinced that all the potential security problems with
private.py are covered by the patch being published. For some time I
have added modifications to private.py as part of my htdig integration
patch which maybe should be considered for addition to the standard MM
distribution.
I give below the patch to private.py for MM release 2.1.4 (although the
same fix applies to later releases) and some notes on the matter in the
INSTALL.htdig-mm file added by my patch.
Of course, these changes may be judged irrelevant by Mailman's
developers.
As an aside, I am not able to:
1. identify exactly what the exploit is.
2. see why it impacts solely on private archive access via private.py.
3. why Apache version is relevant to private.py operates unless the
PATH_INFO environment variable value being set up for the CGI script by
Apache is a result of version-dependent processing done by Apache on
the request URI.
Richard
$build/INSTALL.htdig-mm
------------------------------------------------------------------------
-
<snip>
$prefix/Mailman/Cgi/private.py
There is a security hole in the released Mailman code via which
private.py will
serve files such as a list's archive pipermail.pck and files in the
list's
archive database sub-directory. This hole also allows access to the
list's
archive htdig sub-directory. Fixes for this are applied. As htdig.py
(see below)
is based on private.py the same security fix has been incorporated into
it.
<snip>
Notes and Warnings
----------------
Archive security problems resolved by htdig-2.1.3-0.2 patch
This patch is hopefully the final step in closing security holes in
archive
access.
In version htdig-2.1.3-0.1.patch, htdig.py was rebased on the standard
MM
release's private.py which had moved on since the snapshot of it used
as the
basis for htdig.py was originally taken. Among other things, htdig.py
had been
modified to prevent access to some files in list archive directories
such as a
list's archive pipermail.pck and files in the list's archive database
sub-directory.
This rebasing action re-introduced to htdig.py the security holes,
still extant
in private.py despite it being later code, via which private.py would
serve
files such as a list's archive pipermail.pck and files in the list's
archive
database sub-directory.
The permissions on these files and directories mean that they are
inaccessible
via the web server using /pipermail/ URIs if a list's archive is public.
<snip>
------------------------------------------------------------------------
-
------------------------------------------------------------------------
-
diff -r -u -P --exclude=.DS_Store
mailman-2.1.4-index/Mailman/Cgi/private.py
mailman-2.1.4-htdig/Mailman/Cgi/private.py
--- mailman-2.1.4-index/Mailman/Cgi/private.py Sat Feb 8 07:13:50 2003
+++ mailman-2.1.4-htdig/Mailman/Cgi/private.py Thu Jan 1 12:43:24 2004
@@ -21,6 +21,7 @@
import sys
import cgi
import mimetypes
+import re
from Mailman import mm_cfg
from Mailman import Utils
@@ -71,7 +72,7 @@
listname = parts[0].lower()
mboxfile = ''
- if len(parts) > 1:
+ if len(parts) == 2:
mboxfile = parts[1]
# See if it's the list's mbox file is being requested
@@ -100,6 +101,26 @@
doc.AddItem(Header(2, msg))
print doc.Format()
syslog('error', 'No such list "%s": %s\n', listname, e)
+ return
+
+ # If the path is not:
+ # <list name>.mbox/<list name>.mbox
+ # it should conform to:
+ # <list name>/<archive name (but not htdig or database)>/...
+ # <list name>/<file_name which must end in .txt, .txt.gz or .html>
+ # and any filenames starting with '.' are also not allowed
+ num_parts = len(parts)
+ if not mboxfile and num_parts > 1 and \
+ (parts[1] in ('database', 'htdig') or \
+ (num_parts == 2 and \
+ not
re.compile(r'\.(html|txt|txt\.gz)$').search(true_filename) \
+ ) or parts[-1][0] == '.' \
+ ):
+ msg = _('Invalid archive file requested')
+ doc.SetTitle(msg)
+ doc.AddItem(Header(2, msg))
+ print doc.Format()
+ syslog('error', 'Invalid archive file requested: %s',
true_filename)
return
i18n.set_language(mlist.preferred_language)
------------------------------------------------------------------------
-
On 10 Feb 2005, at 14:41, Barry Warsaw wrote:
> There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
> 2.1 versions which can allow remote attackers to gain access to member
> passwords under certain conditions. The extent of the vulnerability
> depends on what version of Apache you are running, and (possibly) how
> you have configured your web server. However, the flaw is in Mailman
> and has been fix in CVS and will be included in the Mailman 2.1.6
> release.
>
> This issue has been assigned CVE number CAN-2005-0202.
>
> We currently believe that Apache 2.0 sites are not vulnerable, and that
> many if not most Apache 1.3 sites are. In any event, the safest
> approach is to assume the worst and take the remediation steps
> indicated
> below as soon as possible.
>
> The quickest fix is to remove the /usr/local/mailman/cgi-bin/private
> executable. This will disable all access to all private archives on
> your system. While this is the quickest and easiest way to close the
> hole, it will also break all your private archives. If all the lists
> on
> your site only run public archives, this won't matter to you.
>
> Until Mailman 2.1.6 is released, the longer term fix is to apply this
> patch:
>
> http://www.list.org/CAN-2005-0202.txt
>
> For additional piece of mind, it is recommended that you regenerate
> your
> member passwords. Instructions on how to do this, and more information
> about this vulnerability are available here:
>
> http://www.list.org/security.html
>
> My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec.
> This issue was found by Marcus Meissner.
>
> -Barry
-----------------------------------------------------------------------
Richard Barrett http://www.openinfo.co.uk
More information about the Mailman-Developers
mailing list