On Mon, 5 Jan 2009, Edilson Azevedo wrote:
Hi Barry and Thank to answer!
You said "should". But in 95% of the lists that I look, those links are always open. An random example: The official MailMan mailing list. Follow my steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
3 - You can try to create a new list until discover the corret password (if you don't know). But, if you dont know the password, you can try to use a bruteforce. They are very easy to find and very, very, very easy to use. Sometimes they work very well.. hehehe.
Again: Anyone in anywhere can try to create a new list. It's correct??!!
Thanks Barry!!!
P.S.: Try those same steps in othes Mailing Lists Sites. Always work!
Allow me to chime in and ask how this would be different if the form were behind a login screen? Or any form at all? You can "brute force" any screen in mailman and afaik there's no timeout or backoff interval.
I see this as a non-issue, personally, but I do think it looks bad, and think that screen should in a perfect world only be shown ONLY if there is a "list creator" password with no other privileges (but then, if that was the behavior, it would leak that fact).
Just my 0.02.
-Dan