[Mailman-Users] security heads up - path traversal with 2.1.5
Chuq Von Rospach
chuqui at plaidworks.com
Thu Feb 10 07:15:17 CET 2005
> However, I also take Chuq's point that all security announcements to
> this list, and all related mailman mailing lists hosted on python.org,
> should be made by Barry or one of the other core developers. Even if
> the information has been publicly released elsewhere, it is not
> appropriate to post it here unless you are one of those people.
>
The point I tried to make via private email was this:
ignoring that Barry's in charge, and Barry should have the say as to
when things are announced about Mailman, publishing the data here
before Barry was ready to have it published and before the patches and
other documentation, you're making the hack widely available before the
is distributed.
Yes, it's true that this problem was discussed on a few forums (full
disclosure for one), meaning the competent blackhats would know about
it and be able to take advantage of it, but the overall distribution of
the problem was still quite limited. By choosing to post it to this
list, instead of it being a serious issue with limited exposure and
risk, it now becomes a serious issue with endemic exposure and risk --
suddenly instead of a few people knowing the hack and being able to
take advantage of it, basically anyone interested in Maiman could. And
the instructions for how to protect yourself from it weren't final or
ready for distribution, much less a patch or the updated release.
To say "it was already out there" is a false justification. it's the
equivalent of hearing someone talking about it on a cel phone at
Starbucks, and using that as justification for putting it on
billboards. it complete changes the dynamics and risks of the exposure,
putting sites at risk that otherwise wouldn't have been -- because
instead of the clueful blackhats knowing about the problem, now every
person on the list does, including all of those technically naive folks
who just happen to be pissed off for being kicked off a mailing list
and are looking for a way to get back at an admin.
my position is simple (and unchanged): if it's not your project, don't
make strategic decisions about it. it was barry's call. Barry and Toiko
were working the issue and trying to get things ready. By having it
prematurely disclosed to a wide audience, those plans were screwed, and
so were Barry's and Toiko's schedules and lives. That, enough, is
reason enough to not do it, but it also likely caused some sites to get
hacked that wouldn't have been, if it'd been handled properly.
Today's premature disclosure was like saying that since the adults lit
candles in the evening, it was okay to hand matches to their children.
Whatever the best of intentions -- a very bad idea.
More information about the Mailman-Users
mailing list