Bugs item #1448537, was opened at 2006-03-12 15:30
Message generated for change (Comment added) made by eric_black
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: security/privacy
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: EricB (eric_black)
Assigned to: Nobody/Anonymous (nobody)
Summary: Limit number of subscribe requests in a period
Initial Comment:
Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address.
Defaults would be 1 request in 1 day.
This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address. Currently the victim gets the verify.txt
template email for each submission.
----------------------------------------------------------------------
>Comment By: EricB (eric_black)
Date: 2006-03-12 19:30
Message:
Logged In: YES
user_id=1474448
Thanks for the suggestion. That helps if a user complains, but does not help
in this scenario:
A malicious evil-doer discovers a spamtrap email address used by any of the
many RBLs, and repeatedly submits that address in a subscribe request,
either by forging email (trivial to do) or by repeatedly submitting the HTML
form (also trivial to do). The spamtrap receives multiple confirmation
requests.
The first confirmation request should be ignored, because typos happen.
Subsequent confirmation requests may well be considered to be spam.
Especially if there are 5 a day, let alone 100 in the space of an hour.
----------------------------------------------------------------------
Comment By: Tokio Kikuchi (tkikuchi)
Date: 2006-03-12 19:19
Message:
Logged In: YES
user_id=67709
You can suppress sending confirmation by putting the
victim's email address in ban_list from the admin page
(privacy section), if she/he is not willing to be added in
your list. This may not work if the malicious user forges
the 'From:' header. In this case, the victim may well
introduce some mail filter to get junk mails discarded
before they reach her/his eyes.
----------------------------------------------------------------------
Comment By: EricB (eric_black)
Date: 2006-03-12 15:47
Message:
Logged In: YES
user_id=1474448
BTW, I've been running 2.1.5 with this problem, and 2.1.7
still exhibits the vulnerability.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Bugs item #1448537, was opened at 2006-03-12 23:30
Message generated for change (Comment added) made by tkikuchi
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: security/privacy
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: EricB (eric_black)
Assigned to: Nobody/Anonymous (nobody)
Summary: Limit number of subscribe requests in a period
Initial Comment:
Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address.
Defaults would be 1 request in 1 day.
This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address. Currently the victim gets the verify.txt
template email for each submission.
----------------------------------------------------------------------
>Comment By: Tokio Kikuchi (tkikuchi)
Date: 2006-03-13 03:19
Message:
Logged In: YES
user_id=67709
You can suppress sending confirmation by putting the
victim's email address in ban_list from the admin page
(privacy section), if she/he is not willing to be added in
your list. This may not work if the malicious user forges
the 'From:' header. In this case, the victim may well
introduce some mail filter to get junk mails discarded
before they reach her/his eyes.
----------------------------------------------------------------------
Comment By: EricB (eric_black)
Date: 2006-03-12 23:47
Message:
Logged In: YES
user_id=1474448
BTW, I've been running 2.1.5 with this problem, and 2.1.7
still exhibits the vulnerability.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Feature Requests item #403066, was opened at 2001-01-01 09:27
Message generated for change (Comment added) made by jimpop
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Pending
Resolution: Accepted
Priority: 3
Submitted By: Mark Tearle (mtearle)
Assigned to: Mark Sapiro (msapiro)
Summary: Auto Approval of subscriptions for certain domains
Initial Comment:
A patch to enable automatic approval for certain domains, eg people
in the example.com are automatically approved all others have to wait for the moderator
----------------------------------------------------------------------
Comment By: Jim Popovitch (jimpop)
Date: 2006-03-12 22:12
Message:
Logged In: YES
user_id=3142
I've successfully applied this against a v2.1.8 system and
it works well. Thanks!!
----------------------------------------------------------------------
Comment By: Mark Sapiro (msapiro)
Date: 2006-03-11 13:36
Message:
Logged In: YES
user_id=1123998
The attached patch is against a 2.1.8a1 installed base
(installed because it patches Defaults.py and not
Defaults.py.in). It is a modification and extension of the
original patch. It implements a new list attribute
'subscribe_auto_approval' which is a list of email addresses
and regular expressions matching email addresses whose
subscriptions are exempt from admin approval. It implements
the original intent if one just uses regexps that match domains.
This will go in Mailman 2.2, but it would be nice to get
some feedback from people who are interested in this feature
and are willing to try the patch.
----------------------------------------------------------------------
Comment By: Thomas Wouters (twouters)
Date: 2003-03-11 08:31
Message:
Logged In: YES
user_id=34209
Is this still necessary with Mailman 2.1, which has more
'automatic' options (as well as 'memberadaptors') ? In any
case, the patch is likely heavily out of date by now, I'm
moving this to Feature Requests for now. Feel free to
respond if you (still) have a need.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i…
Bugs item #1448537, was opened at 2006-03-12 15:30
Message generated for change (Comment added) made by eric_black
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: security/privacy
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: EricB (eric_black)
Assigned to: Nobody/Anonymous (nobody)
Summary: Limit number of subscribe requests in a period
Initial Comment:
Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address.
Defaults would be 1 request in 1 day.
This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address. Currently the victim gets the verify.txt
template email for each submission.
----------------------------------------------------------------------
>Comment By: EricB (eric_black)
Date: 2006-03-12 15:47
Message:
Logged In: YES
user_id=1474448
BTW, I've been running 2.1.5 with this problem, and 2.1.7
still exhibits the vulnerability.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Bugs item #1448537, was opened at 2006-03-12 15:30
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: security/privacy
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: EricB (eric_black)
Assigned to: Nobody/Anonymous (nobody)
Summary: Limit number of subscribe requests in a period
Initial Comment:
Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address.
Defaults would be 1 request in 1 day.
This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address. Currently the victim gets the verify.txt
template email for each submission.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_…
Bugs item #1080943, was opened at 2004-12-07 14:49
Message generated for change (Settings changed) made by msapiro
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1080943&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web/CGI
Group: 2.1 (stable)
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Mark Sapiro (msapiro)
Assigned to: Nobody/Anonymous (nobody)
Summary: Private archive specific message URL lost in authorization
Initial Comment:
If a user without an authorization cookie goes to a URL
such as
http://www.example.com/mailman/private/list-name/yyyy-Month/nnnnnn.html
the user will get the private archives authorization
page and after filling in e-mail address and password
and clicking Let me in... will be taken to the main
index for the list at
http://www.example.com/mailman/private/list-name/
instead of to the original URL.
----------------------------------------------------------------------
>Comment By: Mark Sapiro (msapiro)
Date: 2006-03-12 12:35
Message:
Logged In: YES
user_id=1123998
Fixed in 2.1.7.
----------------------------------------------------------------------
Comment By: Paul Wise (pabs3)
Date: 2005-03-10 03:21
Message:
Logged In: YES
user_id=35028
There is a fix for this issue in a debian bug report:
http://bugs.debian.org/298842
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1080943&group_…
Bugs item #1275856, was opened at 2005-08-29 10:26
Message generated for change (Comment added) made by msapiro
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1275856&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web/CGI
Group: 2.1 (stable)
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Mark Sapiro (msapiro)
Assigned to: Nobody/Anonymous (nobody)
Summary: Utils.get_domain() wrong if VIRTUAL_HOST_OVERVIEW off
Initial Comment:
Part of the code in get_domain() in Utils.py is:
if mm_cfg.VIRTUAL_HOST_OVERVIEW and host:
return host.lower()
else:
# See the note in Defaults.py concerning
DEFAULT_HOST_NAME
# vs. DEFAULT_EMAIL_HOST.
hostname = mm_cfg.DEFAULT_HOST_NAME or
mm_cfg.DEFAULT_EMAIL_HOST
return hostname.lower()
It is clear that get_domain() should return the web
host, not the e-mail host. This code should be:
if mm_cfg.VIRTUAL_HOST_OVERVIEW and host:
return host.lower()
else:
# See the note in Defaults.py concerning
DEFAULT_URL
# vs. DEFAULT_URL_HOST.
hostname = mm_cfg.DEFAULT_URL or
mm_cfg.DEFAULT_URL_HOST
return hostname.lower()
----------------------------------------------------------------------
>Comment By: Mark Sapiro (msapiro)
Date: 2006-03-12 10:11
Message:
Logged In: YES
user_id=1123998
Fixed in CVS for releases above 2.1.8a1.
hostname = mm_cfg.DEFAULT_URL or mm_cfg.DEFAULT_URL_HOST
is not the correct fix as DEFAULT_URL is a URL, not a
domain, so I changed it to
hostname = mm_cfg.DEFAULT_HOST_NAME or mm_cfg.DEFAULT_URL_HOST
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1275856&group_…
Patches item #1447948, was opened at 2006-03-11 13:58
Message generated for change (Settings changed) made by fractalvisionz
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web UI
Group: Mailman 2.0.x
Status: Open
Resolution: None
Priority: 5
Submitted By: Jamie (fractalvisionz)
Assigned to: Nobody/Anonymous (nobody)
>Summary: Focus password field on admin login page load
Initial Comment:
This patch focuses the password field when the login
page is loaded, a very simple and time saving feature.
File should be placed in the templates/en directory.
DIFF:
5,6c5,12
< <body bgcolor="#ffffff">
< <FORM METHOD=POST ACTION="%(path)s">
---
> <script>
> function sf()
> {
> document.loginform.adminpw.focus();
> }
> </script>
> <body bgcolor="#ffffff" onLoad=sf()>
> <FORM METHOD=POST ACTION="%(path)s" NAME="loginform">
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_…
Patches item #1447948, was opened at 2006-03-11 13:58
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web UI
Group: Mailman 2.0.x
Status: Open
Resolution: None
Priority: 5
Submitted By: Jamie (fractalvisionz)
Assigned to: Nobody/Anonymous (nobody)
Summary: Focus password field on load
Initial Comment:
This patch focuses the password field when the login
page is loaded, a very simple and time saving feature.
File should be placed in the templates/en directory.
DIFF:
5,6c5,12
< <body bgcolor="#ffffff">
< <FORM METHOD=POST ACTION="%(path)s">
---
> <script>
> function sf()
> {
> document.loginform.adminpw.focus();
> }
> </script>
> <body bgcolor="#ffffff" onLoad=sf()>
> <FORM METHOD=POST ACTION="%(path)s" NAME="loginform">
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1447948&group_…
Feature Requests item #403066, was opened at 2001-01-01 06:27
Message generated for change (Comment added) made by msapiro
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Pending
>Resolution: Accepted
Priority: 3
Submitted By: Mark Tearle (mtearle)
>Assigned to: Mark Sapiro (msapiro)
Summary: Auto Approval of subscriptions for certain domains
Initial Comment:
A patch to enable automatic approval for certain domains, eg people
in the example.com are automatically approved all others have to wait for the moderator
----------------------------------------------------------------------
>Comment By: Mark Sapiro (msapiro)
Date: 2006-03-11 10:36
Message:
Logged In: YES
user_id=1123998
The attached patch is against a 2.1.8a1 installed base
(installed because it patches Defaults.py and not
Defaults.py.in). It is a modification and extension of the
original patch. It implements a new list attribute
'subscribe_auto_approval' which is a list of email addresses
and regular expressions matching email addresses whose
subscriptions are exempt from admin approval. It implements
the original intent if one just uses regexps that match domains.
This will go in Mailman 2.2, but it would be nice to get
some feedback from people who are interested in this feature
and are willing to try the patch.
----------------------------------------------------------------------
Comment By: Thomas Wouters (twouters)
Date: 2003-03-11 05:31
Message:
Logged In: YES
user_id=34209
Is this still necessary with Mailman 2.1, which has more
'automatic' options (as well as 'memberadaptors') ? In any
case, the patch is likely heavily out of date by now, I'm
moving this to Feature Requests for now. Feel free to
respond if you (still) have a need.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=403066&group_i…