[Portal: CLI] PGP Secret Key Disclosure Risk

[teward]

During a penetration test of the Trident software as part of a penetration test conducted by Black Hills Info Sec, an Information Disclosure issue was discovered.

This requires a low-privilege user to be used, and the CLI interface via the portal to be enabled.

It was discovered that the portal /cli/ page, when enabled and given a command such as ml seckey testgroup admin as a non-administrator user disclosed the PGP Secret Key for the given mailing list.

This function is not exposed for non sysadmins in the tcli command line program, and is only exposed through the portal.

@bapril was notified about this issues over email shortly after the issues were discovered. It was decided that a public issue ticket for this issue should be made over the past weekend.

The Portal CLI page should probably disallow non-sysadmins from accessing this information.

[rgrmule]

The following information does not solve this problem, in fact it exacerbates it, but if you have not already seen it... (if you have apologies)

https://thehackernews.com/2018/05/pgp-smime-email-encryption.html https://gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682