GNU Mailman

Various web attacks cause CGI modules to throw uncaught exceptions

Bug #1695667 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Low
Mark Sapiro
GNU Mailman 2.1.25

Bug Description

This is merely an annoyance in that it adds error reports to Mailman's error log. The web response is just the "we hit a bug" page, but we may wish to defend against these. We have seen errors like

Jun 02 15:47:45 2017 admin(31978): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin(31978): [----- Mailman Version: 2.1.23 -----]
admin(31978): [----- Traceback ------]
admin(31978): Traceback (most recent call last):
admin(31978): File "/srv/mailman/scripts/driver", line 117, in run_main
admin(31978): main()
admin(31978): File "/srv/mailman/Mailman/Cgi/subscribe.py", line 109, in main
admin(31978): process_form(mlist, doc, cgidata, language)
admin(31978): File "/srv/mailman/Mailman/Cgi/subscribe.py", line 147, in process_form
admin(31978): ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':')
admin(31978): AttributeError: 'list' object has no attribute 'split'

Jun 02 15:48:05 2017 admin(32270): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin(32270): [----- Mailman Version: 2.1.23 -----]
admin(32270): [----- Traceback ------]
admin(32270): Traceback (most recent call last):
admin(32270): File "/srv/mailman/scripts/driver", line 117, in run_main
admin(32270): main()
admin(32270): File "/srv/mailman/Mailman/Cgi/listinfo.py", line 74, in main
admin(32270): if not Utils.IsLanguage(language):
admin(32270): File "/srv/mailman/Mailman/Utils.py", line 751, in IsLanguage
admin(32270): return mm_cfg.LC_DESCRIPTIONS.has_key(lang)
admin(32270): TypeError: unhashable type: 'list'

Jun 02 17:24:06 2017 admin(6887): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin(6887): [----- Mailman Version: 2.1.23 -----]
admin(6887): [----- Traceback ------]
admin(6887): Traceback (most recent call last):
admin(6887): File "/srv/mailman/scripts/driver", line 117, in run_main
admin(6887): main()
admin(6887): File "/srv/mailman/Mailman/Cgi/admin.py", line 118, in main
admin(6887): cgidata.getvalue('adminpw', '')):
admin(6887): File "/srv/mailman/Mailman/SecurityManager.py", line 238, in WebAuthenticate
admin(6887): ac = self.Authenticate(authcontexts, response, user)
admin(6887): File "/srv/mailman/Mailman/SecurityManager.py", line 180, in Authenticate
admin(6887): sharesponse = sha_new(response).hexdigest()
admin(6887): TypeError: must be string or buffer, not list

The above all result from POST data or query fragments containing multiple values for the same parameter resultin in that parameter being passed to the CGI as a list rather than a string.

We have also seen

Jun 02 17:08:00 2017 admin(27163): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin(27163): [----- Mailman Version: 2.1.23 -----]
admin(27163): [----- Traceback ------]
admin(27163): Traceback (most recent call last):
admin(27163): File "/srv/mailman/scripts/driver", line 117, in run_main
admin(27163): main()
admin(27163): File "/srv/mailman/Mailman/Cgi/options.py", line 113, in main
admin(27163): params = cgidata.keys()
admin(27163): File "/usr/lib/python2.7/cgi.py", line 582, in keys
admin(27163): raise TypeError, "not indexable"
admin(27163): TypeError: not indexable

which comes from a POST with no post data.

Related branches

lp:mailman/2.1
Revision history for this message
Mark Sapiro (msapiro) wrote :

Regarding the last error above, "TypeError: not indexable"; that had been fixed by https://bugs.launchpad.net/bugs/1602608 but https://bugs.launchpad.net/bugs/1614841 caused a regression of that fix in options.py. The regression is now fixed at http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1711

Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.