Flaw in mail-list software leaks passwords

A previously unknown vulnerability in Mailman, a popular open-source program for managing mailing lists, has led to the theft of the password file for a well-known security discussion group.

The theft, discovered this week and reported in an announcement to the Full Disclosure security mailing list on Wednesday, casts uncertainty on the security of other discussion groups that use the open-source Mailman package. By specially crafting a Web address, an attacker can obtain the password for every member of a discussion group.

"Anyone with a Web browser can download a file off a vulnerable system--it's (easy to do)," said John Cartwright, co-founder and manager of the Full Disclosure mailing list. The attack, known as a remote directory traversal exploit, occurred on Jan. 2, according to Cartwright's investigation. "As far as our server goes, there is no evidence that any other files were accessed using this flaw."

The flaw could have far-reaching consequences because some mailing list subscribers change their access code to a password that they reuse elsewhere. Since Mailman uses subscribers' e-mail as their user name, people who reuse passwords could put other accounts in jeopardy.

Servers that run Apache 2.0 and Mailman are suspected to be immune to exploitation of the vulnerability, according to a security advisory on the Mailman Web site.

"In any event, the safest approach is to assume the worst, and it is recommended that you apply this Mailman patch as soon as possible," the advisory stated.

The Full Disclosure discussion list had used Mailman running on Apache 1.3, a vulnerable configuration.

Companies and projects that distributed Mailman as part of their Linux distribution have already started releasing fixes for the problem. Debian, Ubuntu and Gentoo Linux have released advisories citing the problem and offering patches.