COMMAND
MailMan
SYSTEMS AFFECTED
MailMan Professional Edition v3.0.18
PROBLEM
S. Jared found following. There exists a potentially severe
security issue regarding the default permissions that the
Endymion web-based email suite uses to create files and
directories for internal use.
This issue regards files creates by Endymion in the admin
specified 'users/' directory, ($mailman::strLocalLocationUsers in
mmprool.cgi). Default permissions are 666 for files and 777 for
directories created by Endymion. You can:
1) read/write/delete arbitrary users' email from an unpriviledged account
2) overwrite/trash arbitrary files owned by uid webmaster.
Note that the uid these operations perform as is dependant on
which uid decompresses the program, and if the system
administrator has taken the time to check permissions of said
decompressed files.
SOLUTION
Suggested changes:
1) default file permissions of 0600
2) default directory permissions of 0700
It should be quite possible to wrap the mailman cgi processes
to its own UID on the web server. CGI scripts do not have to
have the power and access of 'nobody' these days.
MailMan was intended as a comfort feature for users, an add-on per
say. The extra ability to check email anywhere instead of having
to logon to the system. It should not be used for absolute secure
email use. If you use MailMan and your users have the ability to
make and use cgi-scripts, then it will not matter what permissions
you use. MailMan runs on your web-server and thusly it runs as
'nobody' or whatever name you have given the web-server. Also,
your user's cgi's run as 'nobody' on the web server. So, if a
user creates a cgi that can access files and directories as nobody
via the web, then they can also access all the files that MailMan
creates. So you see, Mailman is absolutely not your solution
if you want the most secure email system. Yes changing the perms
to 0600 and 0700 helps deter; however, it does not protect
absolutely from within the system.