Barry
I am not convinced that all the potential security problems with private.py are covered by the patch being published. For some time I have added modifications to private.py as part of my htdig integration patch which maybe should be considered for addition to the standard MM distribution.
I give below the patch to private.py for MM release 2.1.4 (although the same fix applies to later releases) and some notes on the matter in the INSTALL.htdig-mm file added by my patch.
Of course, these changes may be judged irrelevant by Mailman's developers.
As an aside, I am not able to:
1. identify exactly what the exploit is.
2. see why it impacts solely on private archive access via private.py.
3. why Apache version is relevant to private.py operates unless the PATH_INFO environment variable value being set up for the CGI script by Apache is a result of version-dependent processing done by Apache on the request URI.
Richard
$build/INSTALL.htdig-mm
------------------------------------------------------------------------ -
<snip>
$prefix/Mailman/Cgi/private.py
There is a security hole in the released Mailman code via which private.py will
serve files such as a list's archive pipermail.pck and files in the list's
archive database sub-directory. This hole also allows access to the list's
archive htdig sub-directory. Fixes for this are applied. As htdig.py (see below)
is based on private.py the same security fix has been incorporated into it.
<snip>
Notes and Warnings ----------------
Archive security problems resolved by htdig-2.1.3-0.2 patch
This patch is hopefully the final step in closing security holes in archive
access.
In version htdig-2.1.3-0.1.patch, htdig.py was rebased on the standard MM
release's private.py which had moved on since the snapshot of it used as the
basis for htdig.py was originally taken. Among other things, htdig.py had been
modified to prevent access to some files in list archive directories such as a
list's archive pipermail.pck and files in the list's archive database
sub-directory.
This rebasing action re-introduced to htdig.py the security holes, still extant
in private.py despite it being later code, via which private.py would serve
files such as a list's archive pipermail.pck and files in the list's archive
database sub-directory.
The permissions on these files and directories mean that they are inaccessible
via the web server using /pipermail/ URIs if a list's archive is public.
<snip>
------------------------------------------------------------------------ -
------------------------------------------------------------------------ -
diff -r -u -P --exclude=.DS_Store mailman-2.1.4-index/Mailman/Cgi/private.py mailman-2.1.4-htdig/Mailman/Cgi/private.py
--- mailman-2.1.4-index/Mailman/Cgi/private.py Sat Feb 8 07:13:50 2003
+++ mailman-2.1.4-htdig/Mailman/Cgi/private.py Thu Jan 1 12:43:24 2004
@@ -21,6 +21,7 @@
import sys
import cgi
import mimetypes
+import re
from Mailman import mm_cfg from Mailman import Utils @@ -71,7 +72,7 @@
listname = parts[0].lower()
mboxfile = ''
- if len(parts) > 1:
+ if len(parts) == 2:
mboxfile = parts[1]# See if it's the list's mbox file is being requested
@@ -100,6 +101,26 @@
doc.AddItem(Header(2, msg))
print doc.Format()
syslog('error', 'No such list "%s": %s\n', listname, e)
+ return
+
+ # If the path is not:
+ # <list name>.mbox/<list name>.mbox
+ # it should conform to:
+ # <list name>/<archive name (but not htdig or database)>/...
+ # <list name>/<file_name which must end in .txt, .txt.gz or .html>
+ # and any filenames starting with '.' are also not allowed
+ num_parts = len(parts)
+ if not mboxfile and num_parts > 1 and \
+ (parts[1] in ('database', 'htdig') or \
+ (num_parts == 2 and \
+ not re.compile(r'\.(html|txt|txt\.gz)$').search(true_filename) \
+ ) or parts[-1][0] == '.' \
+ ):
+ msg = _('Invalid archive file requested')
+ doc.SetTitle(msg)
+ doc.AddItem(Header(2, msg))
+ print doc.Format()
+ syslog('error', 'Invalid archive file requested: %s', true_filename)
return
i18n.set_language(mlist.preferred_language)
------------------------------------------------------------------------ -
On 10 Feb 2005, at 14:41, Barry Warsaw wrote:
There is a critical security flaw in Mailman 2.1.5 and earlier Mailman 2.1 versions which can allow remote attackers to gain access to member passwords under certain conditions. The extent of the vulnerability depends on what version of Apache you are running, and (possibly) how you have configured your web server. However, the flaw is in Mailman and has been fix in CVS and will be included in the Mailman 2.1.6 release.
This issue has been assigned CVE number CAN-2005-0202.
We currently believe that Apache 2.0 sites are not vulnerable, and that
many if not most Apache 1.3 sites are. In any event, the safest
approach is to assume the worst and take the remediation steps indicated
below as soon as possible.
The quickest fix is to remove the /usr/local/mailman/cgi-bin/private
executable. This will disable all access to all private archives on
your system. While this is the quickest and easiest way to close the
hole, it will also break all your private archives. If all the lists on
your site only run public archives, this won't matter to you.
Until Mailman 2.1.6 is released, the longer term fix is to apply this patch:
http://www.list.org/CAN-2005-0202.txt
For additional piece of mind, it is recommended that you regenerate your
member passwords. Instructions on how to do this, and more information
about this vulnerability are available here:
http://www.list.org/security.html
My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. This issue was found by Marcus Meissner.
-Barry
----------------------------------------------------------------------- Richard Barrett http://www.openinfo.co.uk
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
