Hyperkitty, a web interface for the popular open source mailing list and newsletter management service Mailman, has patched a critical bug that revealed private mailing lists while importing them.
“When importing a private mailing list’s archives, these archives are publicly visible for the duration of the import,” according to an advisory on GitHub. This means a malicious actor would be able to download the information during this time.
The vulnerability was discovered by Amir Sarabadani, software engineer at Wikimedia Deutschland, while upgrading Wikimedia’s mailing lists from Mailman 2 to Mailman 3.
“We were upgrading a test mailing list that was private but realized during the upgrade it was public. Once the upgrade was done, the list would become private,” Sarabadani told The Daily Swig.
A misconfiguration in Hyperkitty caused the partially imported list to be marked as public regardless of its privacy setting in Mailman.
Sarabadani said the impact of the bug depends on the mailing list and how large it is. According to the GitHub advisory, upgrades from older versions of Mailman to version three can last more than an hour.
“Private mailing lists can contain sensitive information, like publicly identifiable information,” Sarabadani said.
“If you communicated publicly that mailing lists are being upgraded [at] certain dates and times as a maintenance window (which you would usually), an attacker can use the opportunity to extract as much private data as possible, especially since Hyperkitty allows you to download all of the archives in batch.”
Patch the parcel
The bug was given a severity score of 7.5. The latest version of Hyperkitty has fixed the flaw by obtaining privacy configurations of imported lists from Mailman instead of using default settings.
“Don’t take security for granted,” Sarabadani said. “A new software being deployed in your infra, no matter how mature, can still have rather major security issues.”
The Daily Swig reached out to the developers of Hyperkitty for comment.
Source: https://portswigger.net/daily-swig/security-vulnerability-in-hyperkitty-could-expose-private-data