[Mailman-Users] POST based subscribe attacks

Mark Sapiro mark at msapiro.net
Mon Oct 29 18:40:14 CET 2012

Ben Cooksley wrote:
>It seems that the attackers are capitalizing on Mailman's lack of CSRF
>protection. Does anyone know if there are plans to add CSRF protection
>into Mailman 2?

It depends what you mean by CSRF protection. If you mean true
protection based on something like the addition and validation of some
nonce in URLs, then no, there are no plans to do this.

However, the admin interface in Mailman 2.1.15 has been somewhat
hardened against CSRF. The following is from the 2.1.15 section of the
NEWS file

> The web admin interface has been hardened against CSRF attacks by adding
> a hidden, encrypted token with a time stamp to form submissions and not
> accepting authentication by cookie if the token is missing, invalid or
> older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one
> hour.  Posthumous thanks go to Tokio Kikuchi for this implementation
> which is only one of his many contributions to Mailman prior to his
> death from cancer on 14 January 2012.

This hardening does not extend to the subscribe form, but I doubt that
CSRF is involved there as no authentication is required to POST a
subscribe request. Anyone can GET the listinfo page and then post the
form data. Otherwise, it wouldn't be very useful as a user
subscription request.

Also, see the thread at
referred to in Carl's reply.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list