MM admin interface wide open
Hi,
I'm using MM 2.1.12 and am running into a problem that is rather nasty. In my case the MM admin interface is wide open, which means that I don't need a site admin pwd to access http://mydomain/mailman/admin/mylist. I can click on logout and it will take me to the logout page, but simply removing /logout from the URL will load the admin interface again. Deleting the cookie doesn't help, closing the browser doesn't help. Oh, yeah. The admin interface is accessible via Google as well.
*hysteric scream* HELP please! ;-)
PS. if you email me, I can provide you with the URL to my MM installation.
Thanks. Ulf
-- Ulf Hofemeier Programmer / Analyst II Latin American and Iberian Institute ulf@ladb.unm.edu
Ulf Hofemeier wrote:
I'm using MM 2.1.12 and am running into a problem that is rather nasty. In my case the MM admin interface is wide open, which means that I don't need a site admin pwd to access http://mydomain/mailman/admin/mylist. I can click on logout and it will take me to the logout page, but simply removing /logout from the URL will load the admin interface again. Deleting the cookie doesn't help, closing the browser doesn't help. Oh, yeah. The admin interface is accessible via Google as well.
Do you allow site admin cookies and do you have one?
Logout will remove the list admin cookie, but if you allow site admin cookies and you have logged in with the site password, logout won't remove that cookie.
This doesn't sound like that's the issue in your case however, and it certainly isn't normal. Is this MM 2.1.12 installed from source or from a vendor package? If a package, which one? Any patches?
Note that it is normal for the admin login page for a public list to be indexed in google, but google's crawlers and people coming from google shouldn't be able to get past the login page without the password.
PS. if you email me, I can provide you with the URL to my MM installation.
If you send it to me, I'll check it out.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark,
Logout won't remove the cookie if there is one, but I doubt there is.
ALLOW_SITE_ADMIN_COOKIES is set to NO. I compiled MM 2.1.12 from the
source.
Ulf
Ulf Hofemeier Programmer / Analyst II Latin American and Iberian Institute ulf@ladb.unm.edu
On Aug 26, 2009, at 5:15 PM, Mark Sapiro wrote:
Ulf Hofemeier wrote:
I'm using MM 2.1.12 and am running into a problem that is rather
nasty. In my case the MM admin interface is wide open, which means that I
don't need a site admin pwd to access http://mydomain/mailman/admin/ mylist. I can click on logout and it will take me to the logout page, but
simply removing /logout from the URL will load the admin interface again. Deleting the cookie doesn't help, closing the browser doesn't help.
Oh, yeah. The admin interface is accessible via Google as well.Do you allow site admin cookies and do you have one?
Logout will remove the list admin cookie, but if you allow site admin cookies and you have logged in with the site password, logout won't remove that cookie.
This doesn't sound like that's the issue in your case however, and it certainly isn't normal. Is this MM 2.1.12 installed from source or from a vendor package? If a package, which one? Any patches?
Note that it is normal for the admin login page for a public list to
be indexed in google, but google's crawlers and people coming from google shouldn't be able to get past the login page without the password.PS. if you email me, I can provide you with the URL to my MM
installation.If you send it to me, I'll check it out.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Folks,
It turns out the issue was that my mailman site admin password was
null, meaning I had no site admin password set. Using bin/mmsitepass
did solve the problem for me. Now, logout works and opening mailman/
admin/mylist does require a password to login.
@Mark, thank you for pointing this out for me! Ulf
Ulf Hofemeier Programmer / Analyst II Latin American and Iberian Institute ulf@ladb.unm.edu
On Aug 26, 2009, at 5:15 PM, Mark Sapiro wrote:
Ulf Hofemeier wrote:
I'm using MM 2.1.12 and am running into a problem that is rather
nasty. In my case the MM admin interface is wide open, which means that I
don't need a site admin pwd to access http://mydomain/mailman/admin/ mylist. I can click on logout and it will take me to the logout page, but
simply removing /logout from the URL will load the admin interface again. Deleting the cookie doesn't help, closing the browser doesn't help.
Oh, yeah. The admin interface is accessible via Google as well.Do you allow site admin cookies and do you have one?
Logout will remove the list admin cookie, but if you allow site admin cookies and you have logged in with the site password, logout won't remove that cookie.
This doesn't sound like that's the issue in your case however, and it certainly isn't normal. Is this MM 2.1.12 installed from source or from a vendor package? If a package, which one? Any patches?
Note that it is normal for the admin login page for a public list to
be indexed in google, but google's crawlers and people coming from google shouldn't be able to get past the login page without the password.PS. if you email me, I can provide you with the URL to my MM
installation.If you send it to me, I'll check it out.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro wrote:
Ulf Hofemeier wrote:
PS. if you email me, I can provide you with the URL to my MM installation.
If you send it to me, I'll check it out.
After a little off list back and forth, Ulf wrote:
I had no site admin password set. Setting one with mmsitepass did the
trick. Thank you for pointing this out. Maybe it would be worthwhile
to add a line of code that checks whether a site admin pass has been
set for future versions? I tried to find a solution for my problem on
your mailman-user list, but couldn't. I have a hard time believing
that I'm the only one who has run into this problem though.Thank you for looking into it. Great support and I appreciate it :-)
Not having ever set a site password should not cause this problem. If the password was never set, there would be no data/adm.pw file at all and authenticating the site password should fail.
I think this issue could only occur if at some point someone actually set a null site password.
Still, it's worth fixing it so that a null password doesn't work. I can't see that anyone would actually want passwordless access to the admin interface except maybe in the case of a server that was not exposed on the internet al all, but probably not even then.
Does anyone need to have null passwords work in Mailman?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
The only scenario I can see are large organizations/corporations with
huge IT department who have to administer mailing lists with thousands
of subscribers. In that case it might make more sense to protect the
admin interface through a dedicated virtual host + packet filter +
htaccess set up, rather than having every 'admin' to type in the site
admin password for once, or once the site admin cookie has expired. It
would speed things up to have the interface accessible through one
link without any barriers. I don't know if this is an applicable
scenario or not, but IT departments with large organizations are
probably capable to make mailman work for them.
Ulf
Ulf Hofemeier Programmer / Analyst II Latin American and Iberian Institute ulf@ladb.unm.edu
Still, it's worth fixing it so that a null password doesn't work. I can't see that anyone would actually want passwordless access to the admin interface except maybe in the case of a server that was not exposed on the internet al all, but probably not even then.
Does anyone need to have null passwords work in Mailman?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
- Mark Sapiro <mark@msapiro.net>:
Mark Sapiro wrote:
Ulf Hofemeier wrote:
PS. if you email me, I can provide you with the URL to my MM installation.
If you send it to me, I'll check it out.
After a little off list back and forth, Ulf wrote:
I had no site admin password set. Setting one with mmsitepass did the
trick. Thank you for pointing this out. Maybe it would be worthwhile
to add a line of code that checks whether a site admin pass has been
set for future versions? I tried to find a solution for my problem on
your mailman-user list, but couldn't. I have a hard time believing
that I'm the only one who has run into this problem though.Thank you for looking into it. Great support and I appreciate it :-)
Not having ever set a site password should not cause this problem. If the password was never set, there would be no data/adm.pw file at all and authenticating the site password should fail.
I think this issue could only occur if at some point someone actually set a null site password.
Still, it's worth fixing it so that a null password doesn't work. I can't see that anyone would actually want passwordless access to the admin interface except maybe in the case of a server that was not exposed on the internet al all, but probably not even then.
Does anyone need to have null passwords work in Mailman?
I could only think of a corporate server, where the directories containing Mailman's admin interface are protected by e.g. Kerberos/LDAP (i.e. Active Directory).
Cheers Stefan
I cannot think of any reason for having a null admin password. It is possible for corporate entities as Stefan mentions but even then probably very rare. If you are going to add the code to check for a null admin password, why not add an additional check to see if a new config option is set to yes - ALLOW_NULL_ADMIN_PWD. The default would be NO and for the corporate/groups/individuals that wish a null password, they can set it to YES in mm_cfg.py.
Just a thought, Chris
Stefan Förster wrote:
- Mark Sapiro <mark@msapiro.net>:
Mark Sapiro wrote:
Ulf Hofemeier wrote:
PS. if you email me, I can provide you with the URL to my MM installation.
If you send it to me, I'll check it out.
After a little off list back and forth, Ulf wrote:
I had no site admin password set. Setting one with mmsitepass did the
trick. Thank you for pointing this out. Maybe it would be worthwhile
to add a line of code that checks whether a site admin pass has been
set for future versions? I tried to find a solution for my problem on
your mailman-user list, but couldn't. I have a hard time believing
that I'm the only one who has run into this problem though.Thank you for looking into it. Great support and I appreciate it :-)
Not having ever set a site password should not cause this problem. If the password was never set, there would be no data/adm.pw file at all and authenticating the site password should fail.
I think this issue could only occur if at some point someone actually set a null site password.
Still, it's worth fixing it so that a null password doesn't work. I can't see that anyone would actually want passwordless access to the admin interface except maybe in the case of a server that was not exposed on the internet al all, but probably not even then.
Does anyone need to have null passwords work in Mailman?
I could only think of a corporate server, where the directories containing Mailman's admin interface are protected by e.g. Kerberos/LDAP (i.e. Active Directory).
Cheers Stefan
Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/cnulk%40scu.edu
Security Policy: http://wiki.list.org/x/QIA9
participants (5)
-
Barry Warsaw -
C Nulk -
Mark Sapiro -
Stefan Förster -
Ulf Hofemeier