[ mailman-Bugs-1263239 ] Mailman on SSL sends passwords in plain text

SourceForge.net noreply at sourceforge.net
Thu Aug 18 19:25:43 CEST 2005


Bugs item #1263239, was opened at 2005-08-18 17:25
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web/CGI
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Daniel (doolyo)
Assigned to: Nobody/Anonymous (nobody)
Summary: Mailman on SSL sends passwords in plain text

Initial Comment:
I have tried putting Mailman on a secure path of my 
server on an https url. It seemed to work approximately 
when adding the following directive in apache:

RewriteCond          %{HTTPS} !=on
RewriteRule     /mailman/(.*) 
https://www\.mysite\.com/mailman/$1 [R]

However, I have sniffed the TCP/HTTP traffic during a list 
creation and I have seen that all the form is posted IN 
CLEAR. This is normal in fact as we send that to the 
http link first (see Bug Request #1263219). Therefore 
the whole test is sent in clear and only afterwards the 
client receives back the document move to https from 
apache to redirect to the proper page.

I think that this could be solved if all links of the 
mailman binaries (admin, create and so forth) are taking 
dynamically the link specified in the mm_cfg.py, in the 
DEFAULT_URL_HOST tag.

However maybe there is another clean way of putting 
that on a secure url. If so I would be interested in how to 
do that because I didn't find anything about that subject 
appart people doing all like I did.

Thanks,
Daniel



----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103


More information about the Mailman-coders mailing list