oss-sec mailing list archives
Limited DoS in mailman (requires non standard config)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 28 Apr 2015 11:04:00 -0600
So I recently ran into a flaw in mailman where I had imported a text list of email addresses of people that wanted to sign up. It turns out one of the addresses was in the form "user () domain tld/random", not sure how that snuck in but anyways. When sending email to this list it fails due to that address being present: from mailman posts log: Apr 28 16:46:23 2015 (29704) post to testing from testing-request@XXX, size=1786, message-id=<mailman.0.1430239582.16535.testing@XXX>, 1 failures from smtp-failure log: smtp-failure:Apr 28 16:46:44 2015 (29704) All recipients refused: {'kurt () seifried org/foo': (501, '5.1.3 Bad recipient address syntax')}, msgid: <CAEo5KB7F3LNCv7Q09ppqBRgUZTaGizyRHx1WS81w8K7S8Yhk7A@YYY> So obviously any list configured to require confirmation will not be affected by this, but lists using import via file or web interface could potentially be affected (if you get a "dirty" list), or lists that are require admin approval only and not confirmation (e.g. the admin doesn't notice it when they hit accept). Overall I don't think this is a security vulnerability, if you have "require confirmation" and clean any address prior to import it cannot be triggered, but it would be nice to have this hardened I think. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Limited DoS in mailman (requires non standard config) Kurt Seifried (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Mark Sapiro (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Kurt Seifried (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Mark Sapiro (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Kurt Seifried (Apr 28)
- Re: Limited DoS in mailman (requires non standard config) Mark Sapiro (Apr 28)