Page MenuHomePhabricator

Stop storing Mailman passwords in plain text
Closed, ResolvedPublicSecurity

Description

When resetting passwords and once a month in the daily mailing list reminder, I get my password sent to me in plain text, meaning that we don’t hash and salt the passwords. This seems like security issue.

Related Objects

StatusSubtypeAssignedTask
ResolvedSecurityNone
ResolvedNone
ResolvedNone
ResolvedNone
Resolved Ladsgroup
ResolvedMarostegui
ResolvedNone
ResolvedLegoktm
Declined Ladsgroup
Resolvedbd808
Resolved Ladsgroup
Resolvedbd808
ResolvedLegoktm
OpenNone
ResolvedDzahn
ResolvedLegoktm
ResolvedLegoktm
ResolvedLegoktm
ResolvedLegoktm
Resolved Ladsgroup
ResolvedLegoktm
Resolved Ladsgroup
ResolvedMarostegui
Resolved Ladsgroup
DuplicateNone

Event Timeline

Josve05a updated the task description. (Show Details)
Josve05a updated the task description. (Show Details)

It's a very well known problem in Mailman 2

This ticket is simply not fixable in Mailman 2 afaik. Similar: https://phabricator.wikimedia.org/T59787

Legoktm renamed this task from Stop storing passwords in plain text to Stop storing Mailman passwords in plain text.Dec 1 2017, 4:32 PM
Reedy triaged this task as High priority.Feb 12 2018, 10:27 AM
Reedy moved this task from Backlog / Other to Operational issues on the acl*security board.
Josve05a changed the subtype of this task from "Task" to "Security Issue".Nov 8 2019, 9:23 PM

Can this be locked to Security or acl*security_team members only? It's not smart to keep such issue available for everyone to see.

Its kind of obvious when mailman keeps sending people monthly password reminders

Its kind of obvious when mailman keeps sending people monthly password reminders

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Threat-modeling this a bit, I personally think it far more likely that a malicious actor happens across lists.wikimedia.org and sees it's running a preposterously outdated version of Mailman and goes from there, as opposed to finding random, public Phab bugs like this one. The solution here is to upgrade Mailman, which has been discussed for several years now (see: T52864, T97492, T66547, T130554) where the exact issue this task describes has been previously noted (T97492#1243823). The upgrade just needs to be prioritized and scheduled, which can be a very complicated process around here.

Keep in mind these passwords are (mostly?) randomly chosen by mailman not the user, so they are closer to tokens than traditional passwords (doesnt make this less terrible, but adjusts the threat model slightly)

Ladsgroup added a subscriber: Ladsgroup.

Mailman2 is now officially dead.