It seems it is possible, if this patch is installed, for a list's
htdig conf file and the list specific htdig index db files to be
read directly through the web interface for list archives.
Even if this patch isn't installed it seems a list's pipermail.pck
file can also be read directly through the web interface for list
archives.
This seems to be true for accesses via /pipermail for public
lists and via /mailman/private for private lists.
The problem does not occur for htdig search results
accessed via /mailman/htdig as the htdig.py script is more
protective than private.py
Broadly speaking the data affected is availble to a user in
normal operation which is why I do not consider the issue to
be a security breach as such.
Adding the following RewriteRule to Apache's httpd.conf
prevents the situation, assuming you got the RewriteEngine
On:
It seems it is possible, if this patch is installed, for a list's
htdig conf file and the list specific htdig index db files to be
read directly through the web interface for list archives.
Even if this patch isn't installed it seems a list's pipermail.pck
file can also be read directly through the web interface for list
archives.
This seems to be true for accesses via /pipermail for public
lists and via /mailman/private for private lists.
The problem does not occur for htdig search results
accessed via /mailman/htdig as the htdig.py script is more
protective than private.py
Broadly speaking the data affected is availble to a user in
normal operation which is why I do not consider the issue to
be a security breach as such.
Adding the following RewriteRule to Apache's httpd.conf
prevents the situation, assuming you got the RewriteEngine
On:
RewriteRule ^(/pipermail/ .*)/(pipermail. pck|htdig/ [^/]*)$
$1/index.html [F]
RewriteRule ^(/mailman/ private/ .*)/(pipermail. pck|htdig/ [^/]*)$
$1/index.htm
l [F]
You could, of course, substitute an R flag for the F flag on the
RewriteRules and be more hacker friendly.