Barry Warsaw wrote:
On Jan 5, 2009, at 1:12 PM, skip@pobox.com wrote:
I suspect the default should be to not expose those things. I
wasn't even aware that list creation through the web was possible. Based on the extremely novice questions I see posted to mailman-users on occasion I suspect many potential Mailman admins are unaware of this as well.
I fear those admins are also the ones most likely to not create strong
passwords.Note that by default, it's not possible to create mailing lists
through the web even though the link exists. You have to create a
site password or 'list creators' password to enable this feature. A
site admin should know enough to set these passwords to something
strong and difficult to brute force.Still, the suggestions for disabling this CGI is easy enough, and if
you have shell access to create those passwords, you have shell access
to disable the CGI.
As Barry points out, the door is neither open nor easily opened by default.
Also, in a default installation, alias generation is manual, and creating a list from the web is not sufficient to make it work.
Further, I think this whole list create issue is a red herring. If I were a black-hat looking to create a list on your server to use for my own nefarious purposes, I think I'd use my dictionary attack to try to access the admin interface of an existing list where the password is more likely to be weak. Once I have the admin password for an existing list, I can do anything with that list that I might have done with a new list, and incidentally do more damage to the installation (or at least that one list) in the process.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan