[Owasp-leaders] Once again people are tweeting about mailman sending back clear text passwords

Azeddine Islam Mennouchi azeddine.mennouchi at owasp.org
Thu Feb 2 09:03:37 UTC 2012 

After a little digging I thin k The 3.0.26 is stable and free of bugs and
exploits

On Thu, Feb 2, 2012 at 9:11 AM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:

>  Big thanks to  Matt and Mat for fixing this. In regards to Jim's point,
> helping mailman do a security review would be a good thing. Whether to
> spend time fixing v2, I guess depends on the timeline for v3, and how
> painful an upgrade will be (not just for OWASP).
>
> Erlend
>
>
>  ------------------------------
> From: Matt Tesauro
> Sent: 02/02/2012 05:34
> To: Mat Caughron
> Cc: owasp-leaders at lists.owasp.org
>
> Subject: Re: [Owasp-leaders] Once again people are tweeting about mailman
> sending back clear text passwords
>
> UPDATE #3:  Ding-Dong! The witch is dead! [1]
>
>  After the pointer from Mat Caughron, I looked into the cron
> configuration and made the following change to the crond.d script:
>
>  $ diff orig.mailman new.mailman
> 13,14c13,14
> < # 5 AM on the first of each month, mail out password reminders.
> < 0 5 1 * * list [ -x /usr/lib/mailman/cron/mailpasswds ] &&
> /usr/lib/mailman/cron/mailpasswds
> ---
> > #MAT## 5 AM on the first of each month, mail out password reminders.
> > #MAT#0 5 1 * * list [ -x /usr/lib/mailman/cron/mailpasswds ] &&
> /usr/lib/mailman/cron/mailpasswds
>
>  So, now the password reminders won't go out even if an individual list
> admin turns them on.  This is a bit of a sledge hammer approach but it
> definitely solves our problem in the near term and globally for all 700+
> lists.
>
>  Anybody have a clue if the 3.0 branch of Mailman (~ Now with Hashes! ~)
> is considered stable?  I'd consider upgrading if it was stable code.
>
>  [1] http://en.wikipedia.org/wiki/Ding-Dong!_The_Witch_Is_Dead
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
>
> On Wed, Feb 1, 2012 at 9:04 PM, Mat Caughron <caughron at gmail.com> wrote:
>
>> Forwarding insights from mailman developer Barry Warsaw (barry at python.org
>> )
>>
>> ---------- Forwarded message ----------
>> From: Barry Warsaw <barry at python.org>
>> Date: Wed, Feb 1, 2012 at 3:35 PM
>> Subject: Re: Mailman password storage question
>> To: Mat Caughron <caughron at gmail.com>
>>
>> On Feb 01, 2012, at 05:01 PM, Mat Caughron wrote:
>> >Was digging around in mailman source and find myself confused as to
>> where the
>> >schema is located that stores user passwords.  The ultimate goal here is
>> to
>> >change this to NOT store passwords in the clear.
>>
>> In Mailman 2.1, take a look at OldStyleMemberships.py.  Ultimately
>> everything
>> else that gets or sets passwords uses this implementation of the
>> MemberAdaptor.py interface.  Of course, they all expect plain text
>> passwords,
>> so it may be difficult to keep certain functionality with hashed
>> passwords,
>> but give it a try.
>>
>> We can't change this in Mailman 2.1 though, and of course Mailman 3 hashes
>> passwords anyway, but anything you come up with could be a useful
>> contribution
>> to others.  You should consider pushing a branch to Launchpad.
>>
>> Cheers,
>> -Barry
>>
>>
>> also:
>>
>> Note that it is possible in stock Mailman to disable all plain text
>> password
>> reminders, at a user level, at a list level, and site-wide.  Just disable
>> the
>> cron job that sends the reminders.
>>
>>
>>
>>
>>
>>
>> On Wed, Feb 1, 2012 at 6:53 PM, Matt Tesauro <mtesauro at gmail.com> wrote:
>> > UPDATE #2
>> >
>> > First, thanks to all those who manually updated the lists they admin.
>> >  Any/all help is greatly appreciated.
>> >
>> > Second, Sarah Baso sent me a spreadsheet with a list of all the lists we
>> > host - 743 in total so manual is really not a very sexy option.
>>  However,
>> > I'll use what she sent to create a Google spreadsheet to track getting
>> this
>> > fixed and to note any other issues raised during all this.
>> >
>> > I've not been able to find an easy/automated way to set all the current
>> mail
>> > lists to remove those monthly reminders. I am going to continue to look
>> into
>> > this to try to find a way to get all  our lists set correctly.  Anyone
>> who
>> > has experience with Mailman is welcome to contact me directly.  My
>> > administration of Mailman started earlier this AM when I first replied
>> to
>> > this thread so you will not hurt my feelings.
>> >
>> > Also, I'll second what Jim Manico said (Mat Caughron++) and request you
>> send
>> > in a patch if you get that far.  Also, you may reach out to the Mailman
>> devs
>> > as they are working on a 3.0 branch - though we're currently running the
>> > stable release of the 2.x branch.  Project leaders love patches (I
>> certainly
>> > do) and you may provide a great reason for us to move the the 3.x
>> branch.
>> >
>> > Cheers!
>> >
>> > --
>> > -- Matt Tesauro
>> > OWASP Board Member
>> > OWASP WTE Project Lead
>> > http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> > http://AppSecLive.org - Community and Download site
>> >
>> >
>> > On Wed, Feb 1, 2012 at 5:22 PM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >>
>> >> If we patch Mailman's password storage mechanism then we also need a
>> hash
>> >> migration strategy so that we can patch existing systems without
>> breaking
>> >> the current plaintext password implementation. We also should
>> deprecate the
>> >> email password sending feature. There are several other areas that
>> will be
>> >> impacted as well (registration, etc).
>> >>
>> >> Taking a step back, this is a thread full of FAIL.
>> >>
>> >> Mat Caughron is the first one to consciously work towards fixing this
>> >> problem for the general community at large. THAT kind of attitude is
>> "the
>> >> big win". I believe this is an example of OWASP at its best. We need
>> to go
>> >> to "them".
>> >>
>> >> Mat, I'll stay the course and help you fix this for Mailman until its
>> done
>> >> and deployed. Mailman is a common piece of software in very widespread
>> use.
>> >>
>> >> Mat Caughron++
>> >>
>> >> - Jim
>> >>
>> >>
>> >> All:
>> >>
>> >> Password storage in the clear with mailman has been an issue for many
>> >> years.
>> >>
>> >> So let's fix this....
>> >>
>> >>
>> >> To the point of how best to patch Mailman to save hashes not passwords,
>> >> see lines 118-122 and 272-273 in MemberAdaptor.py
>> >>
>> >> 00118         def getMemberPassword(self, member):
>> >> 00119         """Return the member's password.
>> >> 00120
>> >> 00121         If the member KEY/LCE is not a member of the list, raise
>> >> 00122         NotAMemberError.
>> >>
>> >>
>> >> Further down in the same file:
>> >>
>> >> 00272     def setMemberPassword(self, member, password):
>> >> 00273         """Set the password for member LCE/KEY.
>> >>
>> >>
>> >>
>> >> Would be good to know what depends on getMemberPassword, particularly
>> in
>> >> cleartext.
>> >>
>> >>
>> >>
>> >> I'll keep digging into where it is best to make a fix for this.
>> >>
>> >>
>> >>
>> >> Mat Caughron
>> >> caughron at gmail.com
>> >> (408) 910-1266
>> >>
>> >>
>> >>
>> >> On Wed, Feb 1, 2012 at 11:16 AM, Matt Tesauro <matt.tesauro at owasp.org>
>> >> wrote:
>> >>>
>> >>> UPDATE:   Our default option is off in /etc/mailman/mm_cfg.py
>> >>> [snip]
>> >>> # Unset send_reminders on newly created lists
>> >>> DEFAULT_SEND_REMINDERS = 0
>> >>> [snip]
>> >>>
>> >>> However, I logged into the Live CD list and discovered that it was
>> turned
>> >>> on for my list.
>> >>>
>> >>> It appears that the migration has turned this on for all lists.
>> >>>
>> >>> Short term work around: If you have a project/Chapter/whatever list
>> you
>> >>> can log into the admin page for it and turn this off.  Look for "Send
>> >>> monthly password reminders? " and set it to No.  If you do this
>> please email
>> >>> me directly with your list's name so I know it no longer needs
>> adjustment.
>> >>>  Send the email to matt.tesauro at owasp.org and put "Mailman list
>> update" in
>> >>> the subject line so I can maintain sanity.
>> >>>
>> >>> I'm in between multiple scheduled interviews today so I will research
>> a
>> >>> more scalable solution as the day goes on and post back if/when a
>> better
>> >>> solution is known.
>> >>>
>> >>>
>> >>> --
>> >>> -- Matt Tesauro
>> >>> OWASP Board Member
>> >>> OWASP WTE Project Lead
>> >>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> >>> http://AppSecLive.org - Community and Download site
>> >>>
>> >>>
>> >>> On Wed, Feb 1, 2012 at 10:11 AM, Eoin <eoin.keary at owasp.org> wrote:
>> >>>>
>> >>>> Hi,
>> >>>> We are currently fixing this annoyance.
>> >>>> Stay tuned.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> On 1 February 2012 16:03, Tony UcedaVelez <tonyuv at owasp.org> wrote:
>> >>>>>
>> >>>>> Diddo here in ATL.  Can we disable this functionality of sending out
>> >>>>> these reminder emails in the interim as we find an interim/ long
>> term
>> >>>>> solution to protect paswords on our mailing list?
>> >>>>>
>> >>>>> Tony UV
>> >>>>>
>> >>>>> On Wed, Feb 1, 2012 at 3:59 AM, John Wilander <
>> john.wilander at owasp.org>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> I've had two chapter members leaving us because of this. Sending
>> out
>> >>>>>> members' passwords in plaintext is nothing less than scandalous
>> for an
>> >>>>>> appsec community. Agree?
>> >>>>>>
>> >>>>>> If I can help out or if there's some setting I've missed, please
>> let
>> >>>>>> me know. And if there's a setting for "Don't send plaintext
>> passwords" it
>> >>>>>> should be on by default.
>> >>>>>>
>> >>>>>>    Regards, John
>> >>>>>>
>> >>>>>>
>> >>>>>> 2012/2/1 Erlend Oftedal <Erlend.Oftedal at bekk.no>
>> >>>>>>>
>> >>>>>>> This is creating some bad publicity for OWASP.
>> >>>>>>>
>> >>>>>>> We should fix this. See
>> >>>>>>> http://twitter.com/dietervds/statuses/164629488351711232
>> >>>>>>>
>> >>>>>>> OWASP will be put on plaintextoffender.com
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Best regards,
>> >>>>>>>
>> >>>>>>> Erlend Oftedal
>> >>>>>>>
>> >>>>>>> OWASP Norway chapter
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> OWASP-Leaders mailing list
>> >>>>>>> OWASP-Leaders at lists.owasp.org
>> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> John Wilander, https://twitter.com/johnwilander
>> >>>>>> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>> >>>>>> Conf Comm,
>> http://www.owasp.org/index.php/Global_Conferences_Committee
>> >>>>>> My music http://www.johnwilander.com & my résumé
>> >>>>>> http://johnwilander.se
>> >>>>>>
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> OWASP-Leaders mailing list
>> >>>>>> OWASP-Leaders at lists.owasp.org
>> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>>
>> >>>>> Tony UcedaVelez
>> >>>>>
>> >>>>> Atlanta Chapter President
>> >>>>>
>> >>>>> OWASP Atlanta
>> >>>>>
>> >>>>> http://www.owasp.org/index.php/Atlanta_Georgia
>> >>>>>
>> >>>>> Twitter: @versprite
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> OWASP-Leaders mailing list
>> >>>>> OWASP-Leaders at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Eoin Keary
>> >>>> OWASP Global Board Member (Vice Chair)
>> >>>>
>> >>>> https://twitter.com/EoinKeary
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> OWASP-Leaders mailing list
>> >>>> OWASP-Leaders at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >>
>> >> --
>> >> Jim Manico
>> >>
>> >> Connections Committee Chair
>> >> Cheatsheet Series Product Manager
>> >> OWASP Podcast Producer/Host
>> >>
>> >> jim at owasp.org
>> >> www.owasp.org
>> >
>> >
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Islam Azeddine Mennouchi
OWASP ALGERIA Chapter Leader
phone n°: +213796314102
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120202/16d153c8/attachment-0001.html>

More information about the OWASP-Leaders mailing list