Mailman/Pipermail private mailing list/local user vulnerability

From: H. Peter Anvin (hpa@zytor.com)
Date: 04/17/02 

Date: Tue, 16 Apr 2002 21:20:09 -0700
From: "H. Peter Anvin" <hpa@zytor.com>
To: bugtraq@securityfocus.com

There is a vulnerability in Pipermail (mailing list archiving software
distributed with and integrated with Mailman), that affects you if you
have local users on the machine.

If you have (a) private Mailman mailing lists and (b) user
logins on the same machine, any local user can read the archives of
those private mailing lists.

The Mailmain people have apparently declined to fix this bug. Therefore
  I wanted to report it here so people are at the very least aware.

Attached is my bug report and their response.

        -hpa

> Bugs item #474616, was opened at 2001-10-24 16:35
> You can respond by visiting:
>
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103
>
> Category: Pipermail
> Group: None
>
>>Status: Closed
>>Resolution: Wont Fix
>
> Priority: 8
> Submitted By: H. Peter Anvin (hpa)
> Assigned to: Nobody/Anonymous (nobody)
> Summary: SECURITY: Pipermail permissions problem
>
> Initial Comment:
> $mailman_root/archive/private is o+x in the default
> installation. This allows anyone with local access to
> the machine to read the archives of private mailing
> lists, as long as they know the (trivial) structure of
> the files beneath this directory.
>
> I have verified that changing this directory to o-x
> causes *all* pipermail pages to become inaccessible, so
> that does not resolve the problem.
>
> There presumably needs to be a setgid program involved
> which can verify that the user is authenticated and
> give access to the archives if appropriate; then that
> directory can be made o-x.
>
>
>
> ----------------------------------------------------------------------
>
>
>>Comment By: Barry Warsaw (bwarsaw)
>
> Date: 2002-04-11 18:40
>
> Message:
> Logged In: YES
> user_id=12800
>
> I'm not inclined to fix this, since this arrangement is
> crucial to the web security of private archives. Since
> Mailman is usually run on mail and/or web servers that have
> very limited access anyway, I don't consider this an
> important vulnerability.
>
>
> ----------------------------------------------------------------------
>
> You can respond by visiting:
>
http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103

Relevant Pages

  • RE: favor
    ... > TM> posts to it, but questions has always been left open for posting. ... Permission for publication in one of these venues does ... Many mailing lists are not archived. ... Saying that archives are ...
    (freebsd-questions)
  • Re: README: Current Fedora Core 2 Problems & Solutions/Helpful Links
    ... i went back to the archives and found the ... schmuck doesn't time it *just* *right* and misses the weekly post, ... the posting is not terribly useful and saves no ... i've used mailing lists long enough to ...
    (Fedora)
  • RE: favor
    ... because pictures pack a lot more content in a small ... > TM> back to Channel One and demand they airbrush your sign out of their ... most mailing lists would not be able to function ... For a mailing list, it's archives are part and parcel of the forum, ...
    (freebsd-questions)
  • FC2 working fine (Re:)
    ... I just mention this because mailing lists tend to give a very selective, ... because the user may not know the correct terms, ... Sometimes a user may already have searched the archives with the wrong terms, ... Perhaps searching for 'x' and 'y' leads you to the old posts. ...
    (Fedora)
  • Re: favor
    ... > expected to go by someone writing to the newspaper. ... most mailing lists have archives going back for decades. ... [the next in regards to papers not publishing guidelines for ...
    (freebsd-questions)