Re: v11.16.0 Released - CSRF Security Vulnerabilities Found, upgrading highly suggested
On Sep 20, 2021, at 1:56 PM, Justin John justin@PROTECTED [Dada Mail Developers] <dadadev@PROTECTED> wrote:
From: justin@PROTECTED
Hello everyone,
v11.16.0 has been released!
Download and install:
https://dadamailproject.com/d/install_dada_mail.pod.html
A CSRF Vulnerability has been found in Dada Mail and this release is primarily put out to fix it. All versions of Dada Mail below v11.16.0 are vulnerable and it’s another upgrade that I would suggest for absolutely everyone.
Changelog (and below): https://dadamailproject.com/d/changes_11_x.pod.html#pod11.16.0
Focus
This version of Dada Mail has been released primarily to fix a security vulnerability dealing with Cross-Site Request Forgery (CSRF).
Enhanced Cross-Site Request Forgery (CSRF) Prevention
In theory (and confirmed), a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, could allow them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins.
For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party.
Security enhancements added to v11.16.0:
CSRF protection to all list control panel screens (including plugins) when logged in
Initial CSRF protection on the actual list control panel login form is enabled by default
This feature was available in Dada Mail, but was not enabled by default
CSRF protection for any a user who logs into their profile would be able to do when logged in
CSRF protection for the initial profile login form
Login cookies for both the list control panel and profiles have the, "SameSite" flag added, and set to, "Lax"
Login cookies for both the list control panel and profiles have the, "secure" flag added, and set to, "1", if the connection is under https
Google reCAPTCHA added to the Change List Password, Change Dada Mail Root Password, Profile login, and Profile Registration
You'll want to set up Google reCAPTCHA in the included Dada Mail installer.
More Details
Here's an overview of CSRF:
https://owasp.org/www-community/attacks/csrf
v11.16.0 comes with Cross-Site Request Forgery prevention using the Double Submit Cookie pattern: (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie).
To enhance this, we also "HMAC the token with a secret key known only by the server and place this value in a cookie" (as described in the above doc), and set cookies to have, SameSite set to, Lax (instead of not setting SameSite at all), (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute),
Additional Suggestions to Help Harden Security
Run Dada Mail under https
Running Dada Mail under https will protect sensitive data from being able to read in transmission.
Set up Google reCAPTCHA
Google reCAPTCHA helps stop automated submission of forms in Dada Mail.
Features
RESTFUL API supports Global Public/Private Keys, Creating New Mailing Lists
Please see:
and,
https://dadamailproject.com/d/features-restful_web_services.pod.html#Global-Public-and-Private-Keys
Changes
Default Membership: View address order is now Date Added/Subscription Date/Descending
Previous order was email address alphabetically/descending
Bugfixes
Switching between lists accepts "GET" requests
https://github.com/justingit/dada-mail/issues/1067
"logout" accepts "GET" requests
https://github.com/justingit/dada-mail/issues/1066
You can send a mass mailing to no one
https://github.com/justingit/dada-mail/issues/1064
--
Justin J: Lead Dadaist url: dadamailproject.com email: justin@PROTECTED twitter: @dadamail
Dada Mail Announcements:http://dadamailproject.com/cgi-bin/dada/mail.cgi/list/dada_announce/
Dada Mail Developers
Post to: Dada Mail Developers ( dadadev@PROTECTED )
Manage Your Subscription
Unsubscribe
- This mailing list is a public mailing list - anyone may join or leave, at any time.
- This mailing list is a group discussion list (unmoderated)
-
Start a new thread, email: dadadev@dadamailproject.com
This mailing list is to discuss the nerdy programming development of Dada Mail -
If you are just looking for support Dada Mail, consult the message boards at:
http://dadamailproject.com/support/boards
To post to this list, send a message to:
dadadev@dadamailproject.com
All subscribers of this list may post to the list itself.
Some on topic... topics include:
- Positive Crits on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
- Bug/Error reports
- Bug fixes
- Request For Comments on any changes to the program
- Help customizing Dada Mail for your own internal needs
- Patches
- Language Translations
- Support Documentation/Doc editing, FAQ's, etc.
- Discussion of any changes that you would like to be committed to the next version of Dada Mail -
At the moment, there aren't many people with CVS access for Dada Mail - if you would like CVS access, please first talk about the changes you propose and how it will affect the program. If the idea is sound and agreed upon, the change will be comitted. A good track record of this will allow you to have CVS access. Some reasons that patches will not be accepted is if the patch breaks compatibility with a previous version of the program, the patch is too centric to your own problem or the patch simply isn't very good.
Please, please please familiarize yourself with the documentation at:
http://dadamailproject.com/support/documentation/
Since no one wants to answer the same question twice.
Another sneaky reason for this mailing list is to test out the discussion list capabilities of Dada Mail, since Dada Mail is used for the mailing list itself.
NOTE - because of this, there may be times that this list will be somewhat broken. Although we're not planning on breaking the program by using it, we're giving you the heads up that this may well happen anyways.
Privacy Policy:
This Privacy Policy is for this mailing list, and this mailing list only.
Email addresses collection through this mailing list are used explicitly to work within this email discussion list.
We only collect email addresses through our Closed-Loop Opt-In system.
We don't use your email address for any other purpose.
We won't be sharing your email address with any other entity.
Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.
All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.
All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.