Archiver key vulnerable to timing attacks, appears in log entries since it's a GET parameter
As previously described in an email to the Mailman security team, the hyperkitty archiver key is vulnerable to timing attacks. This is only exploitable if you can send a request from a approved IP listed in MAILMAN_ARCHIVER_FROM
though.
Furthermore, since it's passed as a GET parameter it appears in uwsgi logs:
[pid: 7638|app: 0|req: 15173/15173] 208.80.154.13 () {56 vars in 967 bytes} [Tue Apr 20 06:47:12 2021] POST /hyperkitty/api/mailman/archive?key=[REDACTED] => generated 131 bytes in 56 msecs (HTTP/1.1 200) 7 headers in 220 bytes (2 switches on core 0)
It also appears in entries for requests to the /hyperkitty/api/mailman/urls endpoint.
Via email @maxking suggested switching to pass it as a header instead. Here are two patches, for hyperkitty and mailman-hyperkitty, that do that and fix the timing attack too:
0001-Improve-security-around-archiver-key-CVE-2021-XXXX.patch 0001-Send-archiver-key-as-a-HTTP-header.patch
I haven't actually had time to test this in a real system yet (will try to do so tomorrow), just ran the test suite so far. Please let me know if these look good and I'll submit MRs.