[Mailman-Developers] Re: Is MM cookie auth 'secure' thru HTTP proxy servers?
Richard Barrett
R.Barrett@ftel.co.uk
Tue, 23 Apr 2002 11:03:19 +0100
Further to what I said before (see below), I now enclose a patch to correct
the problem. The patch is to the WebAuthenticate function in
Mailman.SecurityManager. It adopts the simple hypothesis that if you are
setting or checking a cookie then the response about to be made shouldn't
be cached.
>Date: Mon, 22 Apr 2002 17:30:14 +0100
>To: mailman-developers@python.org
>From: Richard Barrett <r.barrett@ftel.co.uk>
>Subject: Is MM cookie auth 'secure' thru HTTP proxy servers?
>
>Can someone out there sanity check my thinking on a possible hole in
>Mailman's cookie based authentication.
>
>The scenario I'm concerned with is when Mailman's web GUI is being
>accessed by a browser via a caching HTTP proxy server such as Squid,
>hardly an uncommon situation these days.
>
>If my understanding is correct, then Squid (legitimately and like probably
>any other HTTP proxy) has no qualms about caching a page merely because of
>the existence of Cookies or Set-Cookie headers in the response or request.
>This is justified by RFC 2616. The Squid FAQ says:
>
><quote>
>The presence of Cookies headers in requests does not affect whether or not
>an HTTP reply can be cached. Similarly, the presence of Set-Cookie headers
>in replies does not affect whether the reply can be cached.
></quote>
>
>It appears to me that in the absence of a Cache-Control header with a
>value of private, no-cache or no-store a caching proxy server is free to
>cache the response to an HTTP request purportedly protected by MM's cookie
>based authentication AND to again serve that response to any other
>requesting client WITHOUT consulting the server delivering the Mailman web GUI.
>
>I am hoping one of you kind readers will tell me I have missed the obvious
>in my examination of the problem and the MM source, or that the scenario
>above is invalid for any reason.
>
>In the meantime I'm working up a patch to block this possible security
>hole by adding Cache-Control headers in the HHTP responses generated by
>MM's web GUI.
patch file:
cut here
--------------------------------------------------------------------------
--- mailman-2.0.10/Mailman/SecurityManager.py Tue Nov 6 04:25:26 2001
+++ mailman-2.0.10-cache/Mailman/SecurityManager.py Tue Apr 23 09:44:22
2002
@@ -31,7 +31,7 @@
from Mailman import Cookie
from Mailman import mm_cfg
-
+nocache = "Cache-Control: private"
class SecurityManager:
def InitVars(self, crypted_password):
@@ -66,10 +66,14 @@
self.ConfirmUserPassword(user, password)
else:
self.ConfirmAdminPassword(password)
+ print nocache
print self.MakeCookie(key)
return 1
else:
- return self.CheckCookie(key)
+ res = self.CheckCookie(key)
+ if res:
+ print nocache
+ return res
def MakeCookie(self, key):
# Ingredients for our cookie: our `secret' which is the list's admin
cut here
--------------------------------------------------------------------------