When you go to : http://yourdomain.com/mailman.listinfo/[listname] You as normal member, knows a member email adres from that list and write that email adres at the input field :
To unsubscribe from [listname], get a password reminder, or change your subscription options enter your subscription email address:
[ a.member@domain.com ] {unsubscribe or edit options}
If you leave the field blank, you will be prompted for your email address
You can just edit a other member's options and can even change the password.
Please this is not a good situation. Not me discovered it, but a member from a list.
Danny.
On Thu, 2002-05-02 at 12:31, Danny Terweij wrote:
You *can* see any member's options this way, but you cannot save them or change the password unless you know that member's password.
Just tested that through on the mailman-developers list which is running a current development version.
I guess if it was particularly felt that this was a problem (ie security and information leakage) then this could be changed so whatever email address was put in led you to a page with 2 choices:-
Enter password If member address valid and password was correct takes you to the other options. Otherwise loops back to the same page again.
Send password to me If member address valid sends the related password by mail. Otherwise does nothing. In both cases takes you to a page stating that the password will have been sent if the member mail address was valid.
Personally I don't get too excited about this - I am more concerned with locking down the membership roster which we need to ensure defaults as completely unavailable. [Especially as I have been hit with some Data Protection legislation related stuff in the last couple of weeks]
Nigel.-- [ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ] [ - Comments in this message are my own and not ITO opinion/policy - ]
"NM" == Nigel Metheringham <Nigel.Metheringham@dev.InTechnology.co.uk> writes:
NM> Just tested that through on the mailman-developers list which
NM> is running a current development version.Actually, it's not yet. It will as soon as MM2.1b2 comes out (perhaps tomorrow or this weekend, depending on other factors).
One thing that may need to change is that if you authenticated to the list as the list owner, you have access to any member's options page. I find that damn handy for debugging, but it may not be the best policy for the final release.
-Barry
"DT" == Danny Terweij <danny@terweij.nl> writes:
DT> When you go to :
DT> http://yourdomain.com/mailman.listinfo/[listname] You as
DT> normal member, knows a member email adres from that list and
DT> write that email adres at the input field :
DT> To unsubscribe from [listname], get a password reminder, or
DT> change your subscription options enter your subscription email
DT> address:
DT> [ a.member@domain.com ] {unsubscribe or edit options}
DT> If you leave the field blank, you will be prompted for your
DT> email address
DT> You can just edit a other member's options and can even change
DT> the password.
DT> Please this is not a good situation.
DT> Not me discovered it, but a member from a list.This is not how it works in MM2.1. Are you sure you're not already authenticated to the list with the list owner's password? Go to the admin page for the list and hit "Log out" to be sure.
If you type in a random member's address in the "Unsubscribe or edit options" field, you will be presented with a log in page. You cannot even view the user's options without logging in. You can, however, request a password reminder, or initiate the first part of a mailback unsubscribe confirmation sequence. Depending on the privacy settings of the list, the exact contents of the login page will differ slightly, so that at the most paranoid setting you won't even be told whether the address you entered is even a member of the list or not.
-Barry
On Thu, 2002-05-02 at 12:31, Danny Terweij wrote:
You *can* see any member's options this way, but you cannot save them or change the password unless you know that member's password.
Just tested that through on the mailman-developers list which is running a current development version.
I guess if it was particularly felt that this was a problem (ie security and information leakage) then this could be changed so whatever email address was put in led you to a page with 2 choices:-
Enter password If member address valid and password was correct takes you to the other options. Otherwise loops back to the same page again.
Send password to me If member address valid sends the related password by mail. Otherwise does nothing. In both cases takes you to a page stating that the password will have been sent if the member mail address was valid.
Personally I don't get too excited about this - I am more concerned with locking down the membership roster which we need to ensure defaults as completely unavailable. [Especially as I have been hit with some Data Protection legislation related stuff in the last couple of weeks]
Nigel.-- [ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ] [ - Comments in this message are my own and not ITO opinion/policy - ]
"NM" == Nigel Metheringham <Nigel.Metheringham@dev.InTechnology.co.uk> writes:
NM> Just tested that through on the mailman-developers list which
NM> is running a current development version.Actually, it's not yet. It will as soon as MM2.1b2 comes out (perhaps tomorrow or this weekend, depending on other factors).
One thing that may need to change is that if you authenticated to the list as the list owner, you have access to any member's options page. I find that damn handy for debugging, but it may not be the best policy for the final release.
-Barry
"DT" == Danny Terweij <danny@terweij.nl> writes:
DT> When you go to :
DT> http://yourdomain.com/mailman.listinfo/[listname] You as
DT> normal member, knows a member email adres from that list and
DT> write that email adres at the input field :
DT> To unsubscribe from [listname], get a password reminder, or
DT> change your subscription options enter your subscription email
DT> address:
DT> [ a.member@domain.com ] {unsubscribe or edit options}
DT> If you leave the field blank, you will be prompted for your
DT> email address
DT> You can just edit a other member's options and can even change
DT> the password.
DT> Please this is not a good situation.
DT> Not me discovered it, but a member from a list.This is not how it works in MM2.1. Are you sure you're not already authenticated to the list with the list owner's password? Go to the admin page for the list and hit "Log out" to be sure.
If you type in a random member's address in the "Unsubscribe or edit options" field, you will be presented with a log in page. You cannot even view the user's options without logging in. You can, however, request a password reminder, or initiate the first part of a mailback unsubscribe confirmation sequence. Depending on the privacy settings of the list, the exact contents of the login page will differ slightly, so that at the most paranoid setting you won't even be told whether the address you entered is even a member of the list or not.
-Barry
participants (3)
-
barry@zope.com -
Danny Terweij -
Nigel Metheringham