Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi,

I posted in the security thread because I received a security audit and it showed that one of the problems they found with my server is that it's running mailman, again.

I can't figure out how to prevent URLs like:
example.com.com/mailman/listinfo/

from returning valid mailman webpages. I have mailman disabled in WHM. It's not running. qrunner isn't running....I don't see why I can access the mailman pages if it's disabled and I'd like to figure out how to prevent these pages from showing up.

I thought I asked this before and received an answer but I can't seem to find it now. Any thoughts? Thanks.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @Spork Schivago,

I've reproduced this behavior and confirmed that disabling Mailman via "WHM >> Tweak Settings" doesn't automatically remove the following entries from /etc/apache2/conf/httpd.conf on systems using EasyApache 4:

Code:
# grep mailman /usr/local/apache/conf/httpd.conf
    Alias /mailman/archives /usr/local/cpanel/3rdparty/mailman/archives/public/
    Alias /pipermail /usr/local/cpanel/3rdparty/mailman/archives/public/
    ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin/
Internal case CPANEL-9722 is open to address this issue, and I'll update this thread with more information on the status of this case as it becomes available. In the meantime, you can create the following file as a temporary workaround:

Code:
 /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess
Within this file, add the following lines:

Code:
<Limit GET POST>
order deny,allow
deny from all
</Limit>

<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
Ensure to remove this file once a resolution is published.

Thank you.
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Thank you. Because I've only signed up for the free version of the scans on the security auditing website I use, I cannot scan my server at will. It gets scanned automatically once a week. I won't know if this actually fixes the problem or not until they scan me again.

I remember this solution from before though. I'm certain I've asked this question on here and got the same answer, a while back. I just can't find it. I'm thinking maybe mailman got updated and my .htaccess file got removed. I even remember having to edit the .htaccess file to block the stuff.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

There's no update to report on the status of this case at this time. I'll continue to monitor the case and report back here once we've made some progress.

Thank you.
 
  • Like
Reactions: Spork Schivago

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

To update, this is solved in cPanel version 70 as part of an update to the Mailman RPM:

Fixed case CPANEL-18479: Update cpanel-mailman to 2.1.25-2.cp1162.

Thanks!