During a penetration test of the Trident software as part of a penetration test conducted by Black Hills Info Sec, an Information Disclosure issue was discovered.
This requires a low-privilege user to be used, and the CLI interface via the portal to be enabled.
It was discovered that the portal /cli/ page, when enabled and given a command such as ml seckey testgroup admin as a non-administrator user disclosed the PGP Secret Key for the given mailing list.
This function is not exposed for non sysadmins in the tcli command line program, and is only exposed through the portal.
@bapril was notified about this issues over email shortly after the issues were discovered. It was decided that a public issue ticket for this issue should be made over the past weekend.
The Portal CLI page should probably disallow non-sysadmins from accessing this information.
During a penetration test of the Trident software as part of a penetration test conducted by Black Hills Info Sec, an Information Disclosure issue was discovered.
This requires a low-privilege user to be used, and the CLI interface via the portal to be enabled.
It was discovered that the portal /cli/ page, when enabled and given a command such as
ml seckey testgroup adminas a non-administrator user disclosed the PGP Secret Key for the given mailing list.This function is not exposed for non sysadmins in the
tclicommand line program, and is only exposed through the portal.@bapril was notified about this issues over email shortly after the issues were discovered. It was decided that a public issue ticket for this issue should be made over the past weekend.
The Portal CLI page should probably disallow non-sysadmins from accessing this information.