[Owasp-leaders] Once again people are tweeting about mailman sending back clear text passwords

Matt Tesauro mtesauro at gmail.com
Thu Feb 2 02:53:50 UTC 2012 

UPDATE #2

First, thanks to all those who manually updated the lists they admin.
 Any/all help is greatly appreciated.

Second, Sarah Baso sent me a spreadsheet with a list of all the lists we
host - 743 in total so manual is really not a very sexy option.  However,
I'll use what she sent to create a Google spreadsheet to track getting this
fixed and to note any other issues raised during all this.

I've not been able to find an easy/automated way to set all the current
mail lists to remove those monthly reminders. I am going to continue to
look into this to try to find a way to get all  our lists set correctly.
 Anyone who has experience with Mailman is welcome to contact me directly.
 My administration of Mailman started earlier this AM when I first replied
to this thread so you will not hurt my feelings.

Also, I'll second what Jim Manico said (Mat Caughron++) and request you
send in a patch if you get that far.  Also, you may reach out to the
Mailman devs as they are working on a 3.0 branch - though we're currently
running the stable release of the 2.x branch.  Project leaders love patches
(I certainly do) and you may provide a great reason for us to move the the
3.x branch.

Cheers!

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Wed, Feb 1, 2012 at 5:22 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  If we patch Mailman's password storage mechanism then we also need a hash
> migration strategy so that we can patch existing systems without breaking
> the current plaintext password implementation. We also should deprecate the
> email password sending feature. There are several other areas that will be
> impacted as well (registration, etc).
>
> Taking a step back, this is a thread full of FAIL.
>
> Mat Caughron is the first one to consciously work towards fixing this
> problem for the general community at large. THAT kind of attitude is "the
> big win". I believe this is an example of OWASP at its best. We need to go
> to "them".
>
> Mat, I'll stay the course and help you fix this for Mailman until its done
> and deployed. Mailman is a common piece of software in very widespread use.
>
> Mat Caughron++
>
> - Jim
>
>
>  All:
>
>  Password storage in the clear with mailman has been an issue for many
> years.
>
>  So let's fix this....
>
>
>  To the point of how best to patch Mailman to save hashes not passwords,
> see lines 118-122 and 272-273 in MemberAdaptor.py
>
>  00118         def getMemberPassword <http://fossies.org/dox/mailman-2.1.14-1/classMailman_1_1MemberAdaptor_1_1MemberAdaptor.html#afe1b1101cad5a93030181bcd1a6d1627>(self, member):00119         """Return the member's password.00120 00121         If the member KEY/LCE is not a member of the list, raise00122         NotAMemberError.
>
>
>  Further down in the same file:
>
>  00272 <http://fossies.org/dox/mailman-2.1.14-1/classMailman_1_1MemberAdaptor_1_1MemberAdaptor.html#a96ddda185bbcbc215f84faa6cfc12644>     def setMemberPassword <http://fossies.org/dox/mailman-2.1.14-1/classMailman_1_1MemberAdaptor_1_1MemberAdaptor.html#a96ddda185bbcbc215f84faa6cfc12644>(self, member, password):00273         """Set the password for member LCE/KEY.
>
>
>
>  Would be good to know what depends on getMemberPassword, particularly in
> cleartext.
>
>
>
>  I'll keep digging into where it is best to make a fix for this.
>
>
>
>  Mat Caughron
> caughron at gmail.com
> (408) 910-1266
>
>
>
> On Wed, Feb 1, 2012 at 11:16 AM, Matt Tesauro <matt.tesauro at owasp.org>wrote:
>
>> UPDATE:   Our default option is off in /etc/mailman/mm_cfg.py
>> [snip]
>>  # Unset send_reminders on newly created lists
>> DEFAULT_SEND_REMINDERS = 0
>> [snip]
>>
>>  However, I logged into the Live CD list and discovered that it was
>> turned on for my list.
>>
>>  It appears that the migration has turned this on for all lists.
>>
>>  Short term work around: If you have a project/Chapter/whatever list you
>> can log into the admin page for it and turn this off.  Look for "Send
>> monthly password reminders? " and set it to No.  If you do this please
>> email me directly with your list's name so I know it no longer needs
>> adjustment.  Send the email to matt.tesauro at owasp.org and put "Mailman
>> list update" in the subject line so I can maintain sanity.
>>
>>  I'm in between multiple scheduled interviews today so I will research a
>> more scalable solution as the day goes on and post back if/when a better
>> solution is known.
>>
>>
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>>
>>
>>   On Wed, Feb 1, 2012 at 10:11 AM, Eoin <eoin.keary at owasp.org> wrote:
>>
>>> Hi,
>>> We are currently fixing this annoyance.
>>> Stay tuned.
>>>
>>>
>>>
>>>
>>> On 1 February 2012 16:03, Tony UcedaVelez <tonyuv at owasp.org> wrote:
>>>
>>>> Diddo here in ATL.  Can we disable this functionality of sending out
>>>> these reminder emails in the interim as we find an interim/ long term
>>>> solution to protect paswords on our mailing list?
>>>>
>>>> Tony UV
>>>>
>>>>  On Wed, Feb 1, 2012 at 3:59 AM, John Wilander <john.wilander at owasp.org
>>>> > wrote:
>>>>
>>>>> I've had two chapter members leaving us because of this. Sending out
>>>>> members' passwords in plaintext is nothing less than scandalous for an
>>>>> appsec community. Agree?
>>>>>
>>>>> If I can help out or if there's some setting I've missed, please let
>>>>> me know. And if there's a setting for "Don't send plaintext passwords" it
>>>>> should be on by default.
>>>>>
>>>>>    Regards, John
>>>>>
>>>>>
>>>>> 2012/2/1 Erlend Oftedal <Erlend.Oftedal at bekk.no>
>>>>>
>>>>>>    This is creating some bad publicity for OWASP.
>>>>>>
>>>>>> We should fix this. See
>>>>>> http://twitter.com/dietervds/statuses/164629488351711232
>>>>>>
>>>>>> OWASP will be put on plaintextoffender.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Erlend Oftedal
>>>>>>
>>>>>> OWASP Norway chapter
>>>>>>
>>>>>>  _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> John Wilander, https://twitter.com/johnwilander
>>>>> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>>>>> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>>>>> My music http://www.johnwilander.com & my résumé
>>>>> http://johnwilander.se
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Tony UcedaVelez
>>>>
>>>> *Atlanta Chapter President*
>>>>
>>>> *OWASP Atlanta*
>>>>
>>>> http://www.owasp.org/index.php/Atlanta_Georgia
>>>>
>>>> Twitter: *@versprite*
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>>   Eoin Keary
>>> OWASP Global Board Member (Vice Chair)
>>>
>>> https://twitter.com/EoinKeary
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> --
> Jim Manico
>
> Connections Committee Chair
> Cheatsheet Series Product Manager
> OWASP Podcast Producer/Host
> jim at owasp.orgwww.owasp.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120201/1fab9940/attachment-0001.html>

More information about the OWASP-Leaders mailing list