Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Mailman/Pipermail private mailing list/local user vulnerability

From: "H. Peter Anvin" <hpa () zytor com>
Date: Tue, 16 Apr 2002 21:20:09 -0700
There is a vulnerability in Pipermail (mailing list archiving software distributed with and integrated with Mailman), that affects you if you have local users on the machine. 

If you have (a) private Mailman mailing lists and (b) user
logins on the same machine, any local user can read the archives of
those private mailing lists.
The Mailmain people have apparently declined to fix this bug. Therefore I wanted to report it here so people are at the very least aware. 

Attached is my bug report and their response.

        -hpa


> Bugs item #474616, was opened at 2001-10-24 16:35
> You can respond by visiting:
> http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103 
>
> Category: Pipermail
> Group: None
>
>>Status: Closed
>>Resolution: Wont Fix
>
> Priority: 8
> Submitted By: H. Peter Anvin (hpa)
> Assigned to: Nobody/Anonymous (nobody)
> Summary: SECURITY: Pipermail permissions problem
>
> Initial Comment:
> $mailman_root/archive/private is o+x in the default
> installation.  This allows anyone with local access to
> the machine to read the archives of private mailing
> lists, as long as they know the (trivial) structure of
> the files beneath this directory.
>
> I have verified that changing this directory to o-x
> causes *all* pipermail pages to become inaccessible, so
> that does not resolve the problem.
>
> There presumably needs to be a setgid program involved
> which can verify that the user is authenticated and
> give access to the archives if appropriate; then that
> directory can be made o-x.
>
>
>
> ----------------------------------------------------------------------
>
>
>>Comment By: Barry Warsaw (bwarsaw)
>
> Date: 2002-04-11 18:40
>
> Message:
> Logged In: YES
> user_id=12800
>
> I'm not inclined to fix this, since this arrangement is
> crucial to the web security of private archives.  Since
> Mailman is usually run on mail and/or web servers that have
> very limited access anyway, I don't consider this an
> important vulnerability.
>
>
> ----------------------------------------------------------------------
>
> You can respond by visiting:
> http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103
Previous By Date Next
Previous By Thread Next

Current thread: