[Mailman-Users] POST based subscribe attacks

Ben Cooksley bcooksley at kde.org
Mon Oct 29 20:33:14 CET 2012

On Tue, Oct 30, 2012 at 6:40 AM, Mark Sapiro <mark at msapiro.net> wrote:
> Ben Cooksley wrote:
>>It seems that the attackers are capitalizing on Mailman's lack of CSRF
>>protection. Does anyone know if there are plans to add CSRF protection
>>into Mailman 2?
> It depends what you mean by CSRF protection. If you mean true
> protection based on something like the addition and validation of some
> nonce in URLs, then no, there are no plans to do this.

I mean placing some form of unique token in the form itself on the web
page, and validating this token on the server side.

> However, the admin interface in Mailman 2.1.15 has been somewhat
> hardened against CSRF. The following is from the 2.1.15 section of the
> NEWS file

That is good news.

>> The web admin interface has been hardened against CSRF attacks by adding
>> a hidden, encrypted token with a time stamp to form submissions and not
>> accepting authentication by cookie if the token is missing, invalid or
>> older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one
>> hour.  Posthumous thanks go to Tokio Kikuchi for this implementation
>> which is only one of his many contributions to Mailman prior to his
>> death from cancer on 14 January 2012.
> This hardening does not extend to the subscribe form, but I doubt that
> CSRF is involved there as no authentication is required to POST a
> subscribe request. Anyone can GET the listinfo page and then post the
> form data. Otherwise, it wouldn't be very useful as a user
> subscription request.

A pity, as the subscription form definitely could do with the same
form of protection.

The need to retrieve another page, parse the html to get the CSRF
token and then generate an appropriate POST request would represent a
much larger obstacle than the current Mailman subscription system,
which provides no protection.

> Also, see the thread at
> <http://mail.python.org/pipermail/mailman-users/2012-October/074213.html>
> referred to in Carl's reply.

While i'm aware that CAPTCHA's can be broken, it does raise the level
of difficulty the spammer must go through to abuse your service.

> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan

Ben Cooksley
KDE Sysadmin

More information about the Mailman-Users mailing list