-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
I think Barry misunderstood which links you are talking about.
Yep. Thanks, I just re-read the OP (in post-coffee mode :), so now I
get it.
The links on the list admin overview page to lists really reveal nothing but the names of public lists on the server. These are already available on the listinfo overview page and anyone who knows even a little bit about Mailman can easily construct admin or admindb links from the listinfo links. If you are concerned about revealing this, make all your lists advertised = No.
An random example: The official MailMan mailing list. Follow my steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure
out the URL to the create CGI.The answer is to use strong passwords, and if you are really
concerned, don't advertise any lists and remove Mailman's cgi-bin/create wrapper so lists can't be created from the web, or alternatively just don't set site admin or list creator passwords or remove data/adm.pw and data/creator.pw to remove those set previously.
Mark's suggestions are spot on.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP 5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT =A81I -----END PGP SIGNATURE-----