Page MenuHomePhabricator
Create Task
Maniphest T181803

Stop storing Mailman passwords in plain text
Closed, ResolvedPublicSecurity
Actions

Description

When resetting passwords and once a month in the daily mailing list reminder, I get my password sent to me in plain text, meaning that we don’t hash and salt the passwords. This seems like security issue.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedSecurityNoneT181803 Stop storing Mailman passwords in plain text
 ResolvedNoneT52864 Upgrade GNU Mailman from 2.1 to Mailman3
 ResolvedNoneT130554 Official support for upgrade from existing Mailman 2.1 lists to Mailman 3
 ResolvedNoneT256536 Puppetize mailman3
 ResolvedLadsgroupT256542 Puppetize mailman3 web and hyperkitty (mailman archiver)
 Resolved MarosteguiT256538 Create test databases for mailman3
 ResolvedNoneT256539 Figure out a way to sync old and new mailman
 ResolvedLegoktmT256541 Fix the problem with gravatar and mailman3
 DeclinedLadsgroupT276687 Backport hyperkitty 1.3.4 for buster
 Resolvedbd808T257270 Request creation of mailman VPS project
 ResolvedLadsgroupT258365 Setup Mailman3 in Cloud VPS
 Resolvedbd808T259444 Request for creating a DNS record for lists.wmcloud.org to 185.15.56.28
 ResolvedLegoktmT276686 Requesting a test VM in production for mailman3
 DeclinedNoneT276697 Implement central logging for mailman3
 ResolvedDzahnT276712 Request for creation of mailman3-roots group
 ResolvedLegoktmT277263 Enable CSP for mailman3
 ResolvedLegoktmT277286 Make puppet for mailman3 ready for production
 ResolvedLegoktmT278280 Setup monitoring for mailman3
 ResolvedLegoktmT278352 Figure out dkim for mailman3
 ResolvedLadsgroupT278609 Import several public mailing lists archives from mailman2 to lists-next to measure database size
 ResolvedLegoktmT278610 Install mailman3 on lists1001.wikimedia.org
 ResolvedLadsgroupT278612 Install mailman3 and mailman2 at the same time on the cloud
 Resolved MarosteguiT278614 Create production databases for mailman3
 ResolvedLadsgroupT280322 Upgrade mailing lists from mailman2 to 3 in batches
 DuplicateNoneT284045 Still getting "lists.wikimedia.org mailing list memberships reminder" email

Event Timeline

Josve05a created this task.Dec 1 2017, 1:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2017, 1:36 PM
Josve05a added a project: acl*security.Dec 1 2017, 2:12 PM
Josve05a updated the task description. (Show Details)
Josve05a updated the task description. (Show Details)
MarcoAurelio subscribed.Dec 1 2017, 2:13 PM

Maybe this could be resolved with T52864?

Reedy subscribed.Dec 1 2017, 2:20 PM

It's a very well known problem in Mailman 2

Aklapper added a comment.Dec 1 2017, 2:25 PM

This ticket is simply not fixable in Mailman 2 afaik. Similar: https://phabricator.wikimedia.org/T59787

Aklapper added a subtask: T52864: Upgrade GNU Mailman from 2.1 to Mailman3.Dec 1 2017, 2:25 PM
AdHuikeshoven awarded a token.Dec 1 2017, 2:29 PM
Legoktm renamed this task from Stop storing passwords in plain text to Stop storing Mailman passwords in plain text.Dec 1 2017, 4:32 PM
RobH moved this task from Backlog to Mailman v3 on the Wikimedia-Mailing-lists board.Dec 7 2017, 11:39 PM
alaa subscribed.Jan 27 2018, 12:23 AM
He7d3r subscribed.Feb 2 2018, 11:59 AM
Reedy triaged this task as High priority.Feb 12 2018, 10:27 AM
Reedy moved this task from Backlog / Other to Operational issues on the acl*security board.
MarcoAurelio mentioned this in T52864: Upgrade GNU Mailman from 2.1 to Mailman3.Mar 6 2018, 12:04 PM
MarcoAurelio awarded a token.Aug 10 2018, 10:17 AM
Restricted Application added a project: SRE. · View Herald TranscriptAug 10 2018, 10:17 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:37 PM
kolbert subscribed.Aug 3 2019, 7:04 PM
Josve05a added a project: User-Josve05a.Aug 28 2019, 9:00 PM
Josve05a moved this task from Backlog to Continue to complain about on the User-Josve05a board.
Josve05a added a project: Privacy.
Josve05a changed the subtype of this task from "Task" to "Security Issue".Nov 8 2019, 9:23 PM
Krenair subscribed.Nov 8 2019, 9:23 PM
Apap04 subscribed.Nov 14 2019, 4:05 AM

Can this be locked to Security or acl*security_team members only? It's not smart to keep such issue available for everyone to see.

Bawolff subscribed.Nov 14 2019, 4:19 AM

Its kind of obvious when mailman keeps sending people monthly password reminders

Apap04 added a comment.Nov 15 2019, 2:30 AM
In T181803#5662528, @Bawolff wrote:

Its kind of obvious when mailman keeps sending people monthly password reminders

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Amorymeltzer subscribed.Nov 15 2019, 2:57 AM
sbassett subscribed.Nov 15 2019, 4:33 PM
In T181803#5666088, @Apap04 wrote:

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Threat-modeling this a bit, I personally think it far more likely that a malicious actor happens across lists.wikimedia.org and sees it's running a preposterously outdated version of Mailman and goes from there, as opposed to finding random, public Phab bugs like this one. The solution here is to upgrade Mailman, which has been discussed for several years now (see: T52864, T97492, T66547, T130554) where the exact issue this task describes has been previously noted (T97492#1243823). The upgrade just needs to be prioritized and scheduled, which can be a very complicated process around here.

Bawolff added a comment.Nov 15 2019, 5:57 PM

Keep in mind these passwords are (mostly?) randomly chosen by mailman not the user, so they are closer to tokens than traditional passwords (doesnt make this less terrible, but adjusts the threat model slightly)

suffusion_of_yellow subscribed.Nov 17 2019, 5:35 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
JFishback_WMF moved this task from Intake to Backlog on the Privacy board.Mar 12 2020, 1:12 AM
Ladsgroup changed the status of subtask T52864: Upgrade GNU Mailman from 2.1 to Mailman3 from Stalled to Open.Jun 6 2020, 4:39 PM
Nintendofan885 subscribed.Sep 8 2020, 8:20 AM
DannyS712 subscribed.Sep 10 2020, 12:37 PM
Aklapper removed a subtask: T272778: Show listadmins (names or email addresses?) on main page of each mailing list.Jan 23 2021, 5:03 PM
Ladsgroup moved this task from Mailman v3 to Mailman2 limitations on the Wikimedia-Mailing-lists board.Mar 26 2021, 9:34 PM
Ladsgroup mentioned this in T278614: Create production databases for mailman3.Apr 5 2021, 12:50 PM
Ladsgroup closed this task as Resolved.Jun 1 2021, 3:40 PM
Ladsgroup closed subtask T52864: Upgrade GNU Mailman from 2.1 to Mailman3 as Resolved.
Ladsgroup subscribed.

Mailman2 is now officially dead.

sbassett awarded a token.Jun 1 2021, 4:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits