[Mailman-Users] Is mailman vulnerable to the httpoxy bug?

Perry E. Metzger perry at piermont.com
Fri Jul 22 21:39:50 EDT 2016

On Fri, 22 Jul 2016 09:48:34 -0700 Mark Sapiro <mark at msapiro.net>
> On 07/22/2016 08:55 AM, Perry E. Metzger wrote:
> > On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro
> > <mark at msapiro.net>  
> >>
> >> I am not an expert on httpoxy at all, but quoting from
> >> <https://httpoxy.org/#top>
> >>
> >> "httpoxy is a vulnerability for server-side web applications. If
> >> you’re not deploying code, you don’t need to worry."
> >>
> >> Mailman's web UI serves end user HTML pages. It does not deploy
> >> code.
> >>  
> > 
> > Er, it uses CGI scripts, doesn't it? That's what it means to
> > "deploy code" in this context.  
> That's not the way I read it,

It works by an attacker inserting an http_proxy header into the
headers which it presents to the web server, which are then passed in
the HTTP_PROXY environment variable to the CGI script. I think that
there aren't many ways to read this.

> but if you think that's the case, then
> you've already decided that Mailman 2.1 is vulnerable depending on
> the specific web server configuration.

I don't know. I don't know if Mailman uses any of the vulnerable
routines that might cause HTTP_PROXY being set to cause trouble.

> GNU Mailman has no control
> over how you set up your web server to serve Mailman's CGI output,
> so your question should be "is my web server configuration
> vulnerable?".

Not entirely, no. You could defend Mailman by interposing code on the
http server of course.

Perry E. Metzger		perry at piermont.com

More information about the Mailman-Users mailing list