![[LWN Logo]](/images/lcorner.png)
![[Timeline]](/images/Included.png)
|
|
|
|
Date: Wed, 6 Dec 2000 09:11:54 -0500 From: Frederik Lindberg <fred@CHEETAHMAIL.COM> Subject: Re: ezmlm-cgi To: BUGTRAQ@SECURITYFOCUS.COM On Tue, 5 Dec 2000 10:19:51 +1100, vort-fu wrote: >Package : ezmlm-0.53 and below (ezmlm-cgi) >Announced: 2000-12-05 > >Ezmlm is an easy to use mailing list manager for qmail. It ships with a >cgi application to allow for list archiving and reviewal over the >web. Documentation states that the cgi should be installed suid root, but >in real world environments, many are not likely to blindly setuid root any >file they havent coded themselves (and then some). > >Typically this file is setuid user x, allowing for the cgi to access the >mailing list configurations for that particular user. However, when not >installed suid root, ezmlm-cgi will attempt to read the configuration file >from the cwd instead of /etc/ezmlm/. Thus one can create their own >configuration files and have ezmlm-cgi execute any arbitary commands under >the euid of the file. First, this is NOT part of ezmlm-0.53, but part of an add-on (ezmlm-idx) released by me. Any fault is mine, not that of the author of ezmlm-0.53. Second, I'm really sorry if I missed your post to the author (me) or to the ezmlm mailing list. Third, please explain what exactly the problem is? ezmlm is a package that allows any user to run mailing lists within their own [mail]address space. ezmlm-cgi allows web access. ezmlm-cgi is normally installed by a non-privileged user. Here it acts like any other cgi program controlled by the user. If your web server executes _user_ CGI programs with the euid of the web server and the user CGI directory is writable to the user, the user can cause arbitrary commands to be executed with the euid of the web server. This also applies to ezmlm-cgi (and its configuration file). If your web server uses some suexec mechanism to execute _user_ CGI programs with the euid of the user, and the user had write access to this CGI directory, the user can cause arbitrary commands to be executed with the euid of the user. This applies also to ezmlm-cgi (and it's configuration file). For some installations, the admin wants to give web access to lists owned by several different users. In this case ezmlm-cgi can be installed SUID root. Here, it chdir/[chroot]/drops privileges. In this mode, the configuration file is under /etc. One might argue that ezmlm-cgi _in this case_ should check that the config file is writable only to root, but one might also argue that this is a sysadmin responsibility. >It is interesting to note that for a file which asks to be installed suid >root, it doesnt drop privs when executing the banner directive of the >configuration file nor make any attempts to read the configuration from >the base directory where the program is stored. It _does_, _when installed SUID root_. What privileges should it drop before executing the banner when NOT installed SUID root? >Actually having this script suid root will fix this particular bug, but I >wouldnt be surprised if there were many others in the code, I advise >removing or disabling this cgi until an official patch has been released. Have you looked at the code? Have you taken any steps other than this post to prompt "an official patch". -- Sincerely, Fred Frederik Lindberg, CTO, CheetahMail