Re: Insecure default permissions for MailMan Professional Edition,

From: Terry (baderat_private)
Date: Wed Dec 31 1969 - 15:59:59 PST

Next message: Lamar Owen: "PostgreSQL RPM's permission problems"

Previous message: Doug Monroe: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"
Maybe in reply to: S, Jared: "Insecure default permissions for MailMan Professional Edition,"
Next in thread: Christopher Schulte: "Re: Insecure default permissions for MailMan Professional Edition,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

jared,

MailMan was intended as a comfort feature for users, an add-on per say.  The
extra ability to check email anywhere instead of having to logon to the
system.  It should not be used for absolute secure email use.  If you use
MailMan and your users have the ability to make and use cgi-scripts, then it
will not matter what permissions you use.  MailMan runs on your web-server and
thusly it runs as 'nobody' or whatever name you have given the web-server.
Also, your user's cgi's run as 'nobody' on the web server.  So, if a user
creates a cgi that can access files and directories as nobody via the web, then
they can also access all the files that MailMan creates.
So you see, Mailman is absolutely not your solution if you want the most secure
email system. Yes changing the perms to 0600 and 0700 helps deter; however, it
does not protect absolutely from within the system.
If you wish a copy of a cgi script that I downloaded from the open web, that
does execute commands as 'nobody', just email me at the above address.

> Hello,
>
> There exists a potentially severe security issue regarding the default
> permissions that the Endymion web-based email suite uses to create files
> and directories for internal use.
>
> This issue regards files creates by Endymion in the admin specified
> 'users/' directory,
> ($mailman::strLocalLocationUsers in mmprool.cgi)
>
>   I was disturbed to see default permissions of 666 for files, and 777 for
> directories created by Endymion. I have been able to:
>
> 1) read/write/delete arbitrary users' email from an unpriviledged account
> 2) overwrite/trash arbitrary files owned by uid webmaster.
>
> Note that the uid these operations perform as is dependant on which uid
> decompresses the program, and if the system administrator has taken the
> time to check permissions of said decompressed files.
>
> I do recognize that Endymion warns sysadmins to change the permission
> values in the script, but of course we know how concerned most sysadmins
> are with security :)
>
> My suggested changes:
> 1) default file permissions of 0600
> 2) default directory permissions of 0700
>
>
> Regards,
> --jared <rpcat_private>
> Security Specialist
> Internet Arena
>
> Greets: lesia/unholy/b4b0/hhp
>


Terry Bader
baderat_private
icq:
5202487

-----------------------------------------------
Old Dominion University - Computer Science Dept
http://www.cs.odu.edu/

Next message: Lamar Owen: "PostgreSQL RPM's permission problems"
Previous message: Doug Monroe: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"
Maybe in reply to: S, Jared: "Insecure default permissions for MailMan Professional Edition,"
Next in thread: Christopher Schulte: "Re: Insecure default permissions for MailMan Professional Edition,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:34 PDT