I was hacking around my new Mailman setup, and found out to my great surprise: The "private" archives are accessible without a username. Well, that's only half the story, but it really caught me by surprise. I eventually figured out that the list is accessible by entering just the admin password. Is there a way to change this so that admin also needs to enter username?
thanks cheers, gary
gary c wang ICQ: 4343405
At 10:41 PM 3/29/02 +0900, Gary Wang wrote:
I was hacking around my new Mailman setup, and found out to my great surprise: The "private" archives are accessible without a username. Well, that's only half the story, but it really caught me by surprise. I eventually figured out that the list is accessible by entering just the admin password. Is there a way to change this so that admin also needs to enter username?
2.1b1 does that, which I find annoying as hell, because now if I need to fix something I have to first go lookup a valid user on the list to use the admin password on... But it sounds like you'll be happy :-).
Well, it IS rather convinient, but I am more concerned of the potential (sort-of) security risk. Because access is allowed without username, some d00d with evil intent would have an easier time brute-forcing the password.. You know what 'they' say... to catch the bad guys, you have to think like them.. On Friday, March 29, 2002, at 10:48 PM, Ron Jarrell wrote:
gary c wang ICQ: 4343405
You think if someone has the admin password, they aren't capable of doing much more damage than accessing the archives?
Ron, I think your problem is specific to you; my admin password still lets me into anything, including archives, and I would expect that to stay the same.
Gary Wang wrote:
At 10:41 PM 3/29/02 +0900, Gary Wang wrote:
I was hacking around my new Mailman setup, and found out to my great surprise: The "private" archives are accessible without a username. Well, that's only half the story, but it really caught me by surprise. I eventually figured out that the list is accessible by entering just the admin password. Is there a way to change this so that admin also needs to enter username?
2.1b1 does that, which I find annoying as hell, because now if I need to fix something I have to first go lookup a valid user on the list to use the admin password on... But it sounds like you'll be happy :-).
Well, it IS rather convinient, but I am more concerned of the potential (sort-of) security risk. Because access is allowed without username, some d00d with evil intent would have an easier time brute-forcing the password.. You know what 'they' say... to catch the bad guys, you have to think like them.. On Friday, March 29, 2002, at 10:48 PM, Ron Jarrell wrote:
gary c wang ICQ: 4343405
You think if someone has the admin password, they aren't capable of doing much more damage than accessing the archives?
Ron, I think your problem is specific to you; my admin password still lets me into anything, including archives, and I would expect that to stay the same.
Gary Wang wrote:
participants (3)
-
Dan Mick -
Gary Wang -
Ron Jarrell