LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Which WA should I use for 1.8e system

Francoise Becker <[log in to unmask]>

Thu, 26 May 2005 15:31:07 -0400

text/plain (75 lines)

From the security advisory:

> - Support  for version  1.8e  (released May  22,  2002) was 
> discontinued December 31, 2004. No patches are available for version
> 1.8e or older. 

I would like to point out that NGS will not reveal the nature of the 
vulnerability until August, so you have plenty of time to upgrade to 
14.3. 

The vulnerability is very limited in scope, and it would take a brute 
force approach of trying every single WA function and parameter for a 
hacker to find it without NGS's help. There is very little payback 
for the hacker because normally WA is run as an unprivileged user. 
And in one case, the hacker even needs list owner privileges to 
exploit the vulnerability. 

The vulnerability is "high risk" if you allow your CGIs to run under 
a privileged account and/or you have a FAT or FAT32 disk on Windows. 
If your security is locked down tight, there's not much a hacker can 
do using this vulnerability. If your security is loose, then there 
are probably easier ways for a hacker to break into your system.

The biggest risk is if there is another vulnerability somewhere else 
on the system that can be exploited by an unprivileged user. That is, 
there's not much that a hacker can accomplish directly through a 
properly configured WA, but by granting unprivileged access, the 
vulnerability may open a door to a vulnerability in other software.

                             -----------

Rather than trying to retrofit a 14.3 WA with a 1.8e LISTSERV, here 
are my recommendations for sites that are still at 1.8e and for some 
reason or another cannot upgrade to 14.3 yet:

- Make sure your security is locked tight. Don't give "everyone" 
access to any folders on your server. Make sure your web server is 
running as an unprivileged user, give that user read-only access to 
only the files in your web tree, and to the files required by 
LISTSERV (see the admin manual). 

- Only the archives\upload folder should give write-access to the 
web unprivileged user. If you want to be extra careful, remove that 
write-access: bulk operations and uploads will not be possible, but 
it's better to do that than to have all sorts of odd things break by 
using a 14.3 wa with LISTSERV 1.8e. Anyway, it's only a temporary 
measure until you can upgrade to 14.3. Note: Maestro needs that 
upload directory to send jobs: if you use Maestro, I don't recommend 
this. 

- If you use Maestro mostly and don't use the WA interface much, then 
disable the WA interface until you have a chance to upgrade. You need 
LISTSERV 14.3 to upgrade to Maestro 2.0 anyway.

- Upgrade to 14.3 at your own pace. If you can upgrade today, great. 
If you can't, don't panic -- just be more vigilant until you can  
(e.g. keep a close eye on your firewall and internet server logs). 
Upgrade as soon as you can, but don't make things worse by rushing it 
and trying unsupported configurations.

Your mileage may vary. If you're a sweet target for hackers or have 
high security needs, you should make an upgrade to 14.3 a high 
priority. 

Internet security is always a compromise (if you want the tightest 
possible security, stay off the Internet), so in the end it's up to 
you to weigh your risks and priorities. Yes, you are taking a risk if 
you delay, but you have to decide how that risk measures in 
comparison to your other priorities.

-- 
Francoise Becker <[log in to unmask]>

Knowledge is just a click away: http://www.lsoft.com/optin.html

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM