[Mailman-Developers] Cookie security hole in admin interface

John Morton jwm@plain.co.nz
Thu, 10 Jun 1999 18:14:42 +1200 (NZST)


[Didn't see this problem discussed in the recent archive messages, so...]

I was looking at the code for the admin cgi in search of a good cookie 
authentication system, and found out that it was doing this,

 c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
        if c.has_key(list_name + "-admin"):
            if c[list_name + "-admin"].value == `hash(list_name)`:
                return 1

...to authenticate based on a cookie. This code is from 1.0b8, but it
only took a couple of minutes to set the appropriate wafer in my
junkbuster configuration, and point netscape at the admin page for
mailman-developers. I'll leave the replication of this exploit as an
exercise for the readers.

Possible solutions:

Lock down that url with whatever security features your web server
has. This sucks as a long term solution, but it should protect from
disgruntled script kiddies that you just chucked off your lists.

Make the value based on a hash of some slow changing system
variable. Something that changes with the frequency of your desired
expire time, for example. Maybe a cron job to set a key based on some
fast changing system stats every hour or so.

Use SSL for the admin interface and save the name and password in the
cookie.

Any better suggestions? 

John.