Bugs item #897918, was opened at 2004-02-16 05:28 Message generated for change (Comment added) made by bwarsaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=897918&group_id=103 Category: security/privacy Group: 2.1 (stable)

Status: Closed Resolution: Fixed Priority: 5 Submitted By: Heiko Scheit (scheit) Assigned to: Nobody/Anonymous (nobody) Summary: admin password is checked when it should not

Initial Comment: admin password is checked when it should ----------------------------------------- To see the problem you have to be the administrator of a list. Go to the members options login page .../mailman/options/<listname> and enter something like a valid email address, e.g.: xxx@xxx.xxx and as password enter the ADMIN password! You will get something like: Bug in Mailman version 2.1.4 We're sorry, we hit a bug! The problem seems to be that the password entered in the members options login page is also checked against the admin password, which should not be done. It should only be checked if the admin-cookie is set, so that the admin (who logged on via the admin page) can also modify user settings. What is worse: if you enter a valid email address (of a list member) and the admin password you are the admin. So, any list member that happens to choose the same password as the admin has full access to the administrative interface. Somehow I think it would be better to also have an admin username and not just an admin password. Or, for each member an admin flag can be set. The admin has to be a member and can login with email and password as anybody else. ----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw) Date: 2004-02-17 17:17

Message: Logged In: YES user_id=12800 This is fixed in cvs. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=897918&group_id=103