Re: [Mailman-Developers] Found a privacy loophole...
On Thu, 25 Nov 1999 17:30:03 -0600 (CST) Rick Niess <rniess@netserver3.otr.usm.edu> wrote:
Hi All, I just noticed something. I have some lists which are "private", so they don't show up in the index of lists that listinfo generates. However, if you follow the link to the "list admin overview page", it shows all the list names. Not terribly useful to the average web browser, but to someone who knows about mailman...
The most they can find out from the admin page without a list password is the fact that a name exists and thereby the knowledge of how to send administration and attempted post messages to the list.
If that is a problem, then you have larger problems in that you are implicitly relying on security thru obscurity. There is nothing that that web page can tell anybody that someone merely watching the mail traffic in and out of your site can't also determine.
-- J C Lawrence Home: claw@kanga.nu ----------(*) Other: coder@kanga.nu --=| A man is as sane as he is dangerous to his environment |=--
On Sun, 28 Nov 1999 claw@kanga.nu wrote:
Hi All, I just noticed something. I have some lists which are "private", so they don't show up in the index of lists that listinfo generates. However, if you follow the link to the "list admin overview page", it shows all the list names. Not terribly The most they can find out from the admin page without a list
On Thu, 25 Nov 1999 17:30:03 -0600 (CST) Rick Niess <rniess@netserver3.otr.usm.edu> wrote: password is the fact that a name exists and thereby the knowledge of how to send administration and attempted post messages to the list.
Whoah. All I was pointing out was that attempting to hide theexistence of a list to those viewing the listinfo index (by turning off the Advertize option) isn't entirely bulletproof. The listinfo index page specifically tells them how to get to the pages for lists that they know exist but aren't listed there, and then it provides a link to the list admin overview page which lists all existing lists, hidden or not.
This isn't serious, or at least not on a system-wide level. Justpossibly embarrasing to a list admin. And Barry has already noted that it's a known bug. FYI...
~ Rick ~-- .oooO "Man with closed Oooo. Rick C. Niess ( ) mouth gathers ( ) University of Southern Miss. \ ( no foot!" ) / resnet@usm.edu --\ )------------------(_/-------------------------------
In message <Pine.LNX.4.10.9911301030020.27149-100000@netserver3.otr.usm.edu>, R ick Niess writes:
Whoah. All I was pointing out was that attempting to hide theexistence of a list to those viewing the listinfo index (by turning off the Advertize option) isn't entirely bulletproof. The listinfo index page specifically tells them how to get to the pages for lists that they know exist but aren't listed there, and then it provides a link to the list admin overview page which lists all existing lists, hidden or not.
Are you sure that your site works that way? If a list is unadvertised, then it shouldn't show up on either the listinfo or admin pages. Are you really seeing all the lists on the server on the admin page?
-- Ted Cabeen http://www.pobox.com/~secabeen secabeen@pobox.com Check Website or finger for PGP Public Key secabeen@midway.uchicago.edu "I have taken all knowledge to be my province." -F. Bacon cococabeen@aol.com "Human kind cannot bear very much reality."-T.S.Eliot 73126.626@compuserve.com
participants (3)
-
claw@kanga.nu -
Rick Niess -
Ted Cabeen