[Mailman-Users] Edit options security flaw

Marius Amado Alves amado.alves at netcabo.pt
Tue Dec 14 12:43:00 CET 2004 


Mark Sapiro wrote:

> Tokio Kikuchi wrote:
> 
> 
>>Marius Amado Alves wrote:
>>
>>
>>>Sometimes version 2.1.5 lets a user A edit the options of another user B 
>>>as follows.
>>>
>>>User A consults the member list (using his name and password normally). 
>>>Here A picks an email address of user B. User A returns to the main 
>>>page, enters address of B in the Edit options slot and presses Edit 
>>>options. Normally Mailman requires a password, but sometimes IT DOES NOT 
>>>and goes straight to the editable options list page.
>>>
>>>I'd like to know if somebody else has experienced this behavior.
>>
>>Isn't the user A also the owner of the list ?

No.

Long answer: they might be the same person in the world outside Mailman. 
But they have different email addresses to Mailman. Mailman should not 
be able to make the association.

>>If he have logged in at the admin page and go to options page of any 
>>member of the list, then the password input is passed. Go to the admin 
>>page and click the Logout link. Then try again for user B.
> 
> As Tokio points out, if user A logged in with the list password rather
> than user A's personal password, this explains the behavior and is not
> a problem since someone who knows the list password is allowed to
> visit any options page.
> 
> Even if user A provided her/his personal password when visiting the
> roster, if he/she had previously logged in with the list password
> during that session and not logged out, the list admin login cookie
> will still be in the browser enabling visits to other users options
> without their passwords.

Damn cookies!

> Other than this, I am unable to duplicate this problem in any way that
> might be a security breach. I have tried both the scenario that Marius
> gives and also, just clicking user B's address in the roster which is
> processed the same way. The only times I can successfuly reach user
> B's options page without a password are those times when I have
> previously logged in with the list password and not logged out or
> closed the browser in between.

That must be it. I hope it is! (Damn cookies!)

Thanks a lot.

More information about the Mailman-Users mailing list