SOLVED Disabling mailman

[Spork Schivago]

Hi,

I posted in the security thread because I received a security audit and it showed that one of the problems they found with my server is that it's running mailman, again.

I can't figure out how to prevent URLs like:
example.com.com/mailman/listinfo/

from returning valid mailman webpages. I have mailman disabled in WHM. It's not running. qrunner isn't running....I don't see why I can access the mailman pages if it's disabled and I'd like to figure out how to prevent these pages from showing up.

I thought I asked this before and received an answer but I can't seem to find it now. Any thoughts? Thanks.

 

[cPanelMichael]

Hello @Spork Schivago,

I've reproduced this behavior and confirmed that disabling Mailman via "WHM >> Tweak Settings" doesn't automatically remove the following entries from /etc/apache2/conf/httpd.conf on systems using EasyApache 4:

# grep mailman /usr/local/apache/conf/httpd.conf
    Alias /mailman/archives /usr/local/cpanel/3rdparty/mailman/archives/public/
    Alias /pipermail /usr/local/cpanel/3rdparty/mailman/archives/public/
    ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin/

Internal case CPANEL-9722 is open to address this issue, and I'll update this thread with more information on the status of this case as it becomes available. In the meantime, you can create the following file as a temporary workaround:

 /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess

Within this file, add the following lines:

<Limit GET POST>
order deny,allow
deny from all
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

Ensure to remove this file once a resolution is published.

Thank you.

 

[Spork Schivago]

Thank you. Because I've only signed up for the free version of the scans on the security auditing website I use, I cannot scan my server at will. It gets scanned automatically once a week. I won't know if this actually fixes the problem or not until they scan me again.

I remember this solution from before though. I'm certain I've asked this question on here and got the same answer, a while back. I just can't find it. I'm thinking maybe mailman got updated and my .htaccess file got removed. I even remember having to edit the .htaccess file to block the stuff.

 

[Spork Schivago]

No updates on CPANEL-9722? I noticed the problem still exists. I'm using a ea4_main.local template so I just commented the mailman aliases stuff out in there and rebuilt the Apache2 config file.

 

[cPanelMichael]

Hello,

There's no update to report on the status of this case at this time. I'll continue to monitor the case and report back here once we've made some progress.

Thank you.

 

[Spork Schivago]

Thanks!

 

[cPanelMichael]

Hello,

To update, this is solved in cPanel version 70 as part of an update to the Mailman RPM:

Fixed case CPANEL-18479: Update cpanel-mailman to 2.1.25-2.cp1162.

Thanks!

 

[Spork Schivago]

Hello,

To update, this is solved in cPanel version 70 as part of an update to the Mailman RPM:

Fixed case CPANEL-18479: Update cpanel-mailman to 2.1.25-2.cp1162.

Thanks!

AWESOME!!!!!