[Mailman-Developers] Hashing member passwords in config.pck

Tobias Eigen tobias at kabissa.org
Thu Feb 10 19:50:13 CET 2005 

I'm with Bob here - I did a scan of the httpd log on my mailman server  
and I'm pretty sure we were not hit by either the spammers using the  
~mailman/cgi-bin/roster vulnerability or the hackers via the  
~mailman/cgi-bin/private vulnerability. I've now disabled both of these  
scripts for the time being until I find a way to plug the holes.  
Encrypting passwords will go a long way to fixing the risk in the  
future, and forcing everyone to change their passwords is really a big  
burden on them, especially if we're pretty sure they aren't  
compromised.

Cheers,

Tobias

On Feb 10, 2005, at 1:29 PM, Bob Puff at NLE wrote:

> I've -always- disabled the monthly reminders, so that would be no  
> great loss.
>
> If we convert to one-way passwords, could the upgrade script convert  
> the current passwords?  It would be a -big- deal if everyone had to  
> reset their passwords.
>
> Bob
>
> Barry Warsaw wrote:
>
>> I think CAN-2005-0202 gives us the opportunity to finally implement  
>> what
>> we have long considered an embarrassing exposure in Mailman's  
>> config.pck
>> databases.  Member passwords are kept in this database in the clear.  
>> The obvious fix is to hash member passwords and keep only the hash in
>> the database.
>> We haven't changed this before now for two reasons:
>> 1. We would have to regenerate all member passwords, which is an
>> administrative burden.  We might also need to implement checks to see  
>> if
>> the passwords were cleartext or hashed and do the password comparison
>> accordingly.
>> 2. This breaks all password reminders.
>> To fully address CAN-2005-0202 we're recommending sites regenerate  
>> their
>> member passwords anyway, so this gives us an opening to fix this
>> properly.  And we have a better internal password generator now too.
>> As for #2, well, I think most people hate those password reminders
>> anyway, and we've decided that they are going away for MM3.  I don't
>> think many people would shed too many tears if we killed off monthly
>> password reminders for 2.1.6.  Doing that would also eliminate the
>> requirement for the site list, since its primary purpose is to  
>> function
>> as the sender of the reminder messages.
>> To do this for 2.1.6, we'd have to change the "Email My Password To  
>> Me"
>> feature in the options page and in the member login page.  These would
>> have to become a "create a new password for me" feature.  Also,
>> crontab.in should not call mailpasswds anymore, or that script should
>> turn into a simple "here's the lists you are on" reminder, without the
>> password information in it.  This will require i18n updates too.
>> The downside to doing this now is that it's more coding work for 2.1.6
>> and I'd like to get the new version out asap.  Still, this seems like  
>> an
>> opportunity that we shouldn't lightly dismiss.
>> What do you all think?  Is anybody willing to take a crack at a patch
>> for this?
>> -Barry
>> ---------------------------------------------------------------------- 
>> --
>> _______________________________________________
>> Mailman-Developers mailing list
>> Mailman-Developers at python.org
>> http://mail.python.org/mailman/listinfo/mailman-developers
>> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>> Searchable Archives:  
>> http://www.mail-archive.com/mailman-users%40python.org/
>> Unsubscribe:  
>> http://mail.python.org/mailman/options/mailman-developers/ 
>> bob%40nleaudio.com
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives:  
> http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:  
> http://mail.python.org/mailman/options/mailman-developers/ 
> tobias%40kabissa.org
>
--
Tobias Eigen
Executive Director

Kabissa - Space for Change in Africa
http://www.kabissa.org

* Kabissa's vision is for a socially, economically, politically, and  
environmentally vibrant Africa, supported by a strong network of  
effective civil society organizations. *

More information about the Mailman-Developers mailing list