probing list names, and subscribers
I noticed there were a message or two about the ability to probe for list membership, and list existance, even when privacy features have been turned on. I didn't see anything about this in the To-Do list.
Has anyone made any noise about working on this problem?
I see it as two fold, one list names can be probed for existance. The same thing for membership simply by guessing names to go after http://host/mailman/admin and http://host/mailman/options/ This defeats the purpose of having private lists, which is an absolute necessity for my system.
I think both of these can be easily fixed, and I'm more than willing to do the coding (i needed an excuse to learn yet another language)
For lists, if the list doesn't exist, don't give a failure page, but give the password page, and then always fail, giving no clue if the list name or the password is the problem.
For users, just ALWAYS produce the user options page, and then do a password fail if they try to submit anything.
This can produce more work for the mailman admin, as the legit users are less sure about why an action is not working.
Comments? Suggestions? Pointers to python docs ;)
thanks,
Britt Head Admin, Harvard Computer Society, and majordomo flunkie
Britt Bolen britt@bolen.com britt.bolen.com
participants (1)
-
britt