Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: mailman.htm

Mailman - read/write/delete other users' webmail!



Vulnerability

    MailMan

Affected

    MailMan Professional Edition v3.0.18

Description

    S.  Jared  found  following.   There  exists  a potentially severe
    security  issue  regarding  the   default  permissions  that   the
    Endymion  web-based  email   suite  uses  to   create  files   and
    directories for internal use.

    This  issue  regards  files  creates  by  Endymion  in  the  admin
    specified 'users/' directory, ($mailman::strLocalLocationUsers  in
    mmprool.cgi). Default permissions  are 666 for  files and 777  for
    directories created by Endymion.  You can:

        1) read/write/delete arbitrary users' email from an unpriviledged account
        2) overwrite/trash arbitrary files owned by uid webmaster.

    Note that  the uid  these operations  perform as  is dependant  on
    which  uid   decompresses  the   program,  and   if  the    system
    administrator  has  taken  the  time  to check permissions of said
    decompressed files.

Solution

    Suggested changes:

        1) default file permissions of 0600
        2) default directory permissions of 0700

    It should  be quite  possible to  wrap the  mailman cgi  processes
    to its  own UID  on the  web server.   CGI scripts  do not have to
    have the power and access of 'nobody' these days.

    MailMan was intended as a comfort feature for users, an add-on per
    say.  The extra ability to check email anywhere instead of  having
    to logon to the system.  It should not be used for absolute secure
    email use.  If you use MailMan and your users have the ability  to
    make and use cgi-scripts, then it will not matter what permissions
    you use.  MailMan  runs on your web-server  and thusly it runs  as
    'nobody' or whatever  name you have  given the web-server.   Also,
    your user's cgi's  run as 'nobody'  on the web  server.  So,  if a
    user creates a cgi that can access files and directories as nobody
    via the web, then they can also access all the files that  MailMan
    creates.   So you  see, Mailman  is absolutely  not your  solution
    if you want the most  secure email system. Yes changing  the perms
    to  0600  and  0700  helps  deter;  however,  it  does not protect
    absolutely from within the system.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH