Re: ezmlm-cgi

[Frederik Lindberg <fred () cheetahmail com>]

On Tue, 5 Dec 2000 10:19:51 +1100, vort-fu wrote:

> Package  : ezmlm-0.53 and below (ezmlm-cgi)
> Announced: 2000-12-05
>
> Ezmlm is an easy to use mailing list manager for qmail. It ships with a
> cgi application to allow for list archiving and reviewal over the
> web. Documentation states that the cgi should be installed suid root, but
> in real world environments, many are not likely to blindly setuid root any
> file they havent coded themselves (and then some).
>
> Typically this file is setuid user x, allowing for the cgi to access the
> mailing list configurations for that particular user. However, when not
> installed suid root, ezmlm-cgi will attempt to read the configuration file
> from the cwd instead of /etc/ezmlm/. Thus one can create their own
> configuration files and have ezmlm-cgi execute any arbitary commands under
> the euid of the file.

First, this is NOT part of ezmlm-0.53, but part of an add-on
(ezmlm-idx) released by me. Any fault is mine, not that of the author
of ezmlm-0.53.

Second, I'm really sorry if I missed your post to the author (me) or to
the ezmlm mailing list.

Third, please explain what exactly the problem is?

ezmlm is a package that allows any user to run mailing lists within
their own [mail]address space. ezmlm-cgi allows web access.

ezmlm-cgi is normally installed by a non-privileged user. Here it acts
like any other cgi program controlled by the user. If your web server
executes _user_ CGI programs with the euid of the web server and the
user CGI directory is writable to the user, the user can cause
arbitrary commands to be executed with the euid of the web server. This
also applies to ezmlm-cgi (and its configuration file).

If your web server uses some suexec mechanism to execute _user_ CGI
programs with the euid of the user, and the user had write access to
this CGI directory, the user can cause arbitrary commands to be
executed with the euid of the user. This applies also to ezmlm-cgi (and
it's configuration file).

For some installations, the admin wants to give web access to lists
owned by several different users. In this case ezmlm-cgi can be
installed SUID root. Here, it chdir/[chroot]/drops privileges. In this
mode, the configuration file is under /etc. One might argue that
ezmlm-cgi _in this case_ should check that the config file is writable
only to root, but one might also argue that this is a sysadmin
responsibility.

> It is interesting to note that for a file which asks to be installed suid
> root, it doesnt drop privs when executing the banner directive of the
> configuration file nor make any attempts to read the configuration from
> the base directory where the program is stored.

It _does_, _when installed SUID root_. What privileges should it drop
before executing the banner when NOT installed SUID root?

> Actually having this script suid root will fix this particular bug, but I
> wouldnt be surprised if there were many others in the code, I advise
> removing or disabling this cgi until an official patch has been released.

Have you looked at the code? Have you taken any steps other than this
post to prompt "an official patch".

-- Sincerely, Fred
Frederik Lindberg, CTO, CheetahMail