Bugtraq mailing list archives

Insecure default permissions for MailMan Professional Edition, version 3.0.18

From: rpc () INETARENA COM (S, Jared)
Date: Wed, 1 Dec 1999 14:47:56 -0800


Hello,

There exists a potentially severe security issue regarding the default
permissions that the Endymion web-based email suite uses to create files
and directories for internal use.

This issue regards files creates by Endymion in the admin specified
'users/' directory,
($mailman::strLocalLocationUsers in mmprool.cgi)

  I was disturbed to see default permissions of 666 for files, and 777 for
directories created by Endymion. I have been able to:

1) read/write/delete arbitrary users' email from an unpriviledged account
2) overwrite/trash arbitrary files owned by uid webmaster.

Note that the uid these operations perform as is dependant on which uid
decompresses the program, and if the system administrator has taken the
time to check permissions of said decompressed files.

I do recognize that Endymion warns sysadmins to change the permission
values in the script, but of course we know how concerned most sysadmins
are with security :)

My suggested changes:
1) default file permissions of 0600
2) default directory permissions of 0700

Regards,
--jared <rpc () inetarena com>
Security Specialist
Internet Arena

Greets: lesia/unholy/b4b0/hhp

Current thread:

Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability Arvel Hathcock (Nov 30)
- Re: Multiples Remotes DoS Attacks in MDaemonServer v2.8.5.0Vulnerability Nobuo Miwa (Dec 01)
- Insecure default permissions for MailMan Professional Edition, version 3.0.18 S, Jared (Dec 01)
- Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability Ussr Labs (Dec 02)
- Slackware 7.0 - login bug Stewart Gebbie (Dec 02)