Mailman/Pipermail private mailing list/local user vulnerability

From: H. Peter Anvin (hpaat_private)
Date: Tue Apr 16 2002 - 21:20:09 PDT

Next message: Pete Finnigan: "Re: ansi outer join syntax in Oracle allows access to any data"

Previous message: H D Moore: "Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a vulnerability in Pipermail (mailing list archiving software 
distributed with and integrated with Mailman), that affects you if you 
have local users on the machine.

If you have (a) private Mailman mailing lists and (b) user
logins on the same machine, any local user can read the archives of
those private mailing lists.

The Mailmain people have apparently declined to fix this bug.  Therefore 
  I wanted to report it here so people are at the very least aware.

Attached is my bug report and their response.

	-hpa


 > Bugs item #474616, was opened at 2001-10-24 16:35
 > You can respond by visiting:
 > 
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103
 >
 > Category: Pipermail
 > Group: None
 >
 >>Status: Closed
 >>Resolution: Wont Fix
 >
 > Priority: 8
 > Submitted By: H. Peter Anvin (hpa)
 > Assigned to: Nobody/Anonymous (nobody)
 > Summary: SECURITY: Pipermail permissions problem
 >
 > Initial Comment:
 > $mailman_root/archive/private is o+x in the default
 > installation.  This allows anyone with local access to
 > the machine to read the archives of private mailing
 > lists, as long as they know the (trivial) structure of
 > the files beneath this directory.
 >
 > I have verified that changing this directory to o-x
 > causes *all* pipermail pages to become inaccessible, so
 > that does not resolve the problem.
 >
 > There presumably needs to be a setgid program involved
 > which can verify that the user is authenticated and
 > give access to the archives if appropriate; then that
 > directory can be made o-x.
 >
 >
 >
 > ----------------------------------------------------------------------
 >
 >
 >>Comment By: Barry Warsaw (bwarsaw)
 >
 > Date: 2002-04-11 18:40
 >
 > Message:
 > Logged In: YES
 > user_id=12800
 >
 > I'm not inclined to fix this, since this arrangement is
 > crucial to the web security of private archives.  Since
 > Mailman is usually run on mail and/or web servers that have
 > very limited access anyway, I don't consider this an
 > important vulnerability.
 >
 >
 > ----------------------------------------------------------------------
 >
 > You can respond by visiting:
 > 
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103

Next message: Pete Finnigan: "Re: ansi outer join syntax in Oracle allows access to any data"
Previous message: H D Moore: "Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 00:17:10 PDT