[Mailman-Users] htdig patches and information leakage
Richard Barrett
r.barrett at openinfo.demon.co.uk
Sun Feb 23 15:25:00 CET 2003
At 11:53 22/02/2003, Rupa Schomaker wrote:
>One can choose to search any archive (even private ones) by
>constructing the URL correctly. If "Short" mode one can find subjects
>for the private list. In "Long" mode one can find excerpts from the
>private list. Viewing the actual message requires logging in.
I'm addressing the issue raised above in the context of the #444884 patch
on sourceforge. If you were not referring to that patch to integrate htdig
with MM thanks anyway for highlighting a potential problem.
In "normal" use this problem does not arise as access to the search form
for a private list archive is from the list's TOC page which requires
authentication by CGI script private.py to access. Also search results are
links which go via the CGI script htdig.py which enforces the same rules as
private.py
But it is possible for a malicious user to bypass the search form on a
private list's archive TOC page (and thus avoid logon via the MM private.py
CGI script) and construct a URL which will get them search results from a
private list's htdig indexes. Thus leakage via the page returned by
htsearch, rather than the pages which links on that page point to, is possible.
>It seems to me that a better solution is to use a proxy cgi-bin
>program for htsearch that first checks to see if the list is private
>and if so do the same auth check that the htdig does (just error if
>not authened) or actually ask for login info... If the user is
>authenticated or if it is a public list, then just exec the htsearch
>cgi program.
I'll post a revised version of patch #444884 tomorrow that deals with the
issue you've raised and provides an update path for existing installations
using the patch.
>--
>-rupa
More information about the Mailman-Users
mailing list