Dennison Williams wrote:
>
>The first is that even though I have "VIRTUAL_HOST_OVERVIEW = Yes" in
>my Mailman/mm_cfg.py file I am still able to disclose other lists on
>other domains through the url:
>http://<virtual_domain>/mailman/listinfo/<list_name_not_in_virtual_domain>.
>There must be a another way around this, if not it should be considered
>a minor security flaw. Can anyone point me in the right direction for
>preventing this?
VIRTUAL_HOST_OVERVIEW controls what it's name implies, i.e. what lists
appear on the listinfo and admin overview page. It is true, that by
trying URLs such as you give above, that one could confirm the
existence of a list in another domain and find its domain name from
its listinfo page. If this is really a security issue for you, there
are two choices.
1) Modify all the Mailman/Cgi/*.py modules along the lines of the
attached listinfo.patch.txt, or
2) Install a separate Mailman instance for each domain.
>The second issue is that all emails from the list are coming with links
>from the wrong domain. How can I get these links to reflect the domain
>that the lists are for?
Web links or email links? If the web links are wrong, the lists must
also appear on the wrong listinfo overview page. In any case, make
sure every host has a correct
add_virtualhost('hosts.web.domain', 'hosts.email.domain')
in mm_cfg.py. Then run Mailman's
bin/withlist -l -r fix_url listname -u web.host.for.this.list
for every list. This will fix both web and email domains. Or, if the
problem is only email domains, you can go to the web admin General
Options page for every list and set the correct host_name attribute
near the bottom of the page.
--
Mark Sapiro <[email protected]> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--- listinfo.py 2010-01-28 13:55:59.328125000 -0800
+++ listinfox.py 2010-04-16 08:01:45.953125000 -0700
@@ -52,6 +52,15 @@
listinfo_overview(_('No such list <em>%(safelistname)s</em>'))
syslog('error', 'No such list "%s": %s', listname, e)
return
+ hostname = Utils.get_domain()
+ if mm_cfg.VIRTUAL_HOST_OVERVIEW and \
+ mlist.web_page_url.find('/%s/' % hostname) == -1:
+ # List is for different identity of this host - say not found.
+ # Avoid cross-site scripting attacks
+ safelistname = Utils.websafe(listname)
+ listinfo_overview(_('No such list <em>%(safelistname)s</em>'))
+ syslog('error', 'No such list "%...@%s"', listname, hostname)
+ return
# See if the user want to see this page in other language
cgidata = cgi.FieldStorage()
------------------------------------------------------
Mailman-Users mailing list [email protected]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
