[Mailman-Users] Edit options security flaw
Marius Amado Alves
amado.alves at netcabo.pt
Tue Dec 14 12:43:00 CET 2004
Mark Sapiro wrote:
> Tokio Kikuchi wrote:
>
>
>>Marius Amado Alves wrote:
>>
>>
>>>Sometimes version 2.1.5 lets a user A edit the options of another user B
>>>as follows.
>>>
>>>User A consults the member list (using his name and password normally).
>>>Here A picks an email address of user B. User A returns to the main
>>>page, enters address of B in the Edit options slot and presses Edit
>>>options. Normally Mailman requires a password, but sometimes IT DOES NOT
>>>and goes straight to the editable options list page.
>>>
>>>I'd like to know if somebody else has experienced this behavior.
>>
>>Isn't the user A also the owner of the list ?
No.
Long answer: they might be the same person in the world outside Mailman.
But they have different email addresses to Mailman. Mailman should not
be able to make the association.
>>If he have logged in at the admin page and go to options page of any
>>member of the list, then the password input is passed. Go to the admin
>>page and click the Logout link. Then try again for user B.
>
> As Tokio points out, if user A logged in with the list password rather
> than user A's personal password, this explains the behavior and is not
> a problem since someone who knows the list password is allowed to
> visit any options page.
>
> Even if user A provided her/his personal password when visiting the
> roster, if he/she had previously logged in with the list password
> during that session and not logged out, the list admin login cookie
> will still be in the browser enabling visits to other users options
> without their passwords.
Damn cookies!
> Other than this, I am unable to duplicate this problem in any way that
> might be a security breach. I have tried both the scenario that Marius
> gives and also, just clicking user B's address in the roster which is
> processed the same way. The only times I can successfuly reach user
> B's options page without a password are those times when I have
> previously logged in with the list password and not logged out or
> closed the browser in between.
That must be it. I hope it is! (Damn cookies!)
Thanks a lot.
More information about the Mailman-Users
mailing list