[Didn't see this problem discussed in the recent archive messages, so...]
I was looking at the code for the admin cgi in search of a good cookie authentication system, and found out that it was doing this,
c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
if c.has_key(list_name + "-admin"):
if c[list_name + "-admin"].value == hash(list_name):
return 1
...to authenticate based on a cookie. This code is from 1.0b8, but it only took a couple of minutes to set the appropriate wafer in my junkbuster configuration, and point netscape at the admin page for mailman-developers. I'll leave the replication of this exploit as an exercise for the readers.
Possible solutions:
Lock down that url with whatever security features your web server has. This sucks as a long term solution, but it should protect from disgruntled script kiddies that you just chucked off your lists.
Make the value based on a hash of some slow changing system variable. Something that changes with the frequency of your desired expire time, for example. Maybe a cron job to set a key based on some fast changing system stats every hour or so.
Use SSL for the admin interface and save the name and password in the cookie.
Any better suggestions?
John.