[Mailman-Users] htdig patches and information leakage

[Richard Barrett]

At 11:53 22/02/2003, Rupa Schomaker wrote:
>One can choose to search any archive (even private ones) by
>constructing the URL correctly.  If "Short" mode one can find subjects
>for the private list.  In "Long" mode one can find excerpts from the
>private list.  Viewing the actual message requires logging in.

I'm addressing the issue raised above in the context of the #444884 patch 
on sourceforge. If you were not referring to that patch to integrate htdig 
with MM thanks anyway for highlighting a potential problem.

In "normal" use this problem does not arise as access to the search form 
for a private list archive is from the list's TOC page which requires 
authentication by CGI script private.py to access. Also search results are 
links which go via the CGI script htdig.py which enforces the same rules as 
private.py

But it is possible for a malicious user to bypass the search form on a 
private list's archive TOC page (and thus avoid logon via the MM private.py 
CGI script) and construct a URL which will get them search results from a 
private list's htdig indexes. Thus leakage via the page returned by 
htsearch, rather than the pages which links on that page point to, is possible.

>It seems to me that a better solution is to use a proxy cgi-bin
>program for htsearch that first checks to see if the list is private
>and if so do the same auth check that the htdig does (just error if
>not authened) or actually ask for login info...  If the user is
>authenticated or if it is a public list, then just exec the htsearch
>cgi program.

I'll post a revised version of patch #444884 tomorrow that deals with the 
issue you've raised and provides an update path for existing installations 
using the patch.

>--
>-rupa