privacy hole in password reminder

Bug #266821 reported by Dmvianna-users on 2006-03-02
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
GNU Mailman
High
Unassigned

Bug Description

Mailman sends me password reminders in plain text. I
can disable this feature, but other users can manually
make it send a reminder just as if I had forgot the
password, with no other question being asked. If smart
enough to intercept that message, the attacker could:

1) Get my password;
2) get my IP in the mail header.

Possible solutions:

1) Some sites and programs use a "secret question"
which right answer would give the user the chance to
get a password reminder.

2) The password could be prompted in a secure html
page. I find this safer, as compared to plain text mails.

[http://sourceforge.net/tracker/index.php?func=detail&aid=1441723&group_id=103&atid=350103]

Mark Sapiro (msapiro) wrote :

I'm not sure what IP you think would be in the email header
that isn't already publicly available via a DNS query of
your email domain, or why you think even that IP would be in
the header of an intercepted mail.

Also, when you say "If smart enough to intercept that
message", are you aware of an attack tht would enable this,
or are you just concerned that it could happen.

Finally, password reminders will go away in Mailman 2.2.
We'll try to keep your concern in mind as we work on their
replacement.

The following major security issues also exist:

- If an email account is compromised, an attacker (or even an automated virus) can easily gather all passwords. This would *NOT* happen if no reminders were sent, nor would it happen if the classic "answer the security questions to receive a password reset form" strategy were used.

- Additionally, once the attacker has the dozens of passwords one might use for various mailman lists, the attack can attempt to use those passwords on other websites or computer systems (e.g. SSH) in automated attacks. The most basic attack would merely use the password, but more sophisticated attacks can use the passwords as seeds in an automated cracker.

> Mark Sapiro: "Are you aware of an attack that would enable this?"
- As the original poster wrote: the password reminders are in plaintext. As far as I know, aren't all email messages sent in plaintext that thus absolutely trivial to eavesdrop on? All the attack would need is a compromised relay on the internet, which I hear is getting more common these days. Just run one of the many network-traffic-monitoring programs and listen for the string "password".

Mark Sapiro (msapiro) wrote :

We know that plain text emailed passwords are a bad idea. This will be fixed in MM 3.

For MM 2.1, as a list member, you can turn off the periodic reminder for any list of which you are a member. As a list owner, you can turn off all periodic reminders from your lists. As a site admin, you can turn off all periodic reminders from the site.

That leaves only the "request an immediate reminder and intercept the email" attack as a vulnerability. The list subscribe form says:

  You may enter a privacy password below. This provides only mild security,
  but should prevent others from messing with your subscription.
  *Do not use a valuable password* as it will occasionally be emailed back to you in cleartext.

which implies that such a password, even if it is not an autogenerated one, is less likely to work in other contexts.

Changed in mailman:
importance: Medium → High
milestone: none → mailman-2.2-3.0
status: New → Triaged
Amedee Van Gasse (amedee) wrote :

The problem isn't plain text emailed passwords.
The *real* problem is storing plain text passwords on the server that runs mailman.
If that server gets compromised, the attacker has a list of email addresses and passwords.
I guess you all heard about the recent problems with Sony's Playstation Network (PSN). One of the biggest problems there was that Sony stored plain text passwords. If you Google for "plain text passwords", you will see thousands of articles that advise against it, and none that recommend it. Storing plain text passwords in a database is a security antipattern.

Passwords should always be one-way encrypted (hashed), and preferably well salted.

This is a website that shames Plain Text Offenders: http://plaintextoffenders.com/
Mailman should be added to that website, and Ubuntu should add a very clear security warning to Mailman. Other (more secure) mailing list software should be advised, or a more secure (patched) version (MM 2.1, 3.0, whatever) should be used.

Canonical/Ubuntu itself currently uses Mailman for it's community mailing lists (ubuntu-users etc...). This should be seriously evaluated.

Amedee Van Gasse (amedee) wrote :

I am sorry, this appears to be the general Launchpad page for Mailman, not just Ubuntu's version of it.
I got confused because a lot of Ubuntu happens on Launchpad, but there are other projects hosted here too.

trampster (trampster) wrote :

It is completely unacceptable that such a widely used opensource tool as this has such a major security flaw in it.

You should not be able to send me my password in plaintext. Because passwords should be stored using an non reversible salted hash.

This is a major PR disaster just waiting to happen. Mainman would become a laughing stock of the software world.

How has this gone unfixed for 6 years.

On Oct 01, 2012, at 06:51 AM, trampster wrote:

>You should not be able to send me my password in plaintext. Because
>passwords should be stored using an non reversible salted hash.

There are many documented ways to disable password reminders on a per-user,
per-list, or per-site basis. Please read the FAQ.

Mailman 3 removes password reminders and hashes passwords with a configurable
hash algorithm (by default salted sha512).

trampster (trampster) wrote :

Are you aware that the bug you made this a duplicate of is marked as
invalid.

On Tue, Oct 2, 2012 at 6:49 AM, Mark Sapiro <email address hidden> wrote:

> *** This bug is a duplicate of bug 265179 ***
> https://bugs.launchpad.net/bugs/265179
>
> ** This bug has been marked a duplicate of bug 265179
> Security hole: passwords mailed in clear
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/266821
>
> Title:
> privacy hole in password reminder
>
> Status in GNU Mailman:
> Triaged
>
> Bug description:
> Mailman sends me password reminders in plain text. I
> can disable this feature, but other users can manually
> make it send a reminder just as if I had forgot the
> password, with no other question being asked. If smart
> enough to intercept that message, the attacker could:
>
> 1) Get my password;
> 2) get my IP in the mail header.
>
> Possible solutions:
>
> 1) Some sites and programs use a "secret question"
> which right answer would give the user the chance to
> get a password reminder.
>
> 2) The password could be prompted in a secure html
> page. I find this safer, as compared to plain text mails.
>
> [
> http://sourceforge.net/tracker/index.php?func=detail&aid=1441723&group_id=103&atid=350103
> ]
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mailman/+bug/266821/+subscriptions
>

Mark Sapiro (msapiro) wrote :

trampster wrote:
>
>Are you aware that the bug you made this a duplicate of is marked as
>invalid.

Yes. Whether or not that bug is invalid is irrelevant. That bug applies
to Mailman 2.1 and we have already said many times that this was a
design decision for Mailman 2.1, we recognize it was a bad decision,
it is finally fixed in Mailman 3 and will not be fixed in Mailman 2.1.

However, to be somewhat more consistent, I have marked #265179 as Won't
Fix for Mailman 2.1.

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

SonhadorPR (sonhadorpr) wrote :

Hello all!
I don't know if this is the correct post for my problem, but while searching launchpad, the results sent me here. So, here it goes: I am one of the people "responsible", for the "birth and eventual official blessing" of www.ubuntu-pr.org, which is still in its infancy, as a wiki page, for the past 8 years, due to lack of time, experience and interest, to be honest.
I am trying to revive the project, or find someone to hand it to, but I have forgotten the mailing list admin password. I (sonhadorpr[at]gmail) keep getting notices of spam and users wanting to connect, but I can't do anything about it.
How can I reset the password?
There should be a link that allows you to do that, or as mentioned above, some sort of security questions, for these problems.
Thank you for your help!

Mark Sapiro (msapiro) wrote :

This bug report has nothing to do with list admin passwords. For information on resetting a list admin password, see the FAQ article at <https://wiki.list.org/x/4030543>. (Mailman 3 has better ways of dealing with lost/forgotten passwords.)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.