[ mailman-Feature Requests-1441723 ] privacy hole in password reminder
SourceForge.net
noreply at sourceforge.net
Sat May 27 03:48:22 CEST 2006
Feature Requests item #1441723, was opened at 2006-03-02 05:48
Message generated for change (Comment added) made by msapiro
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=1441723&group_id=103
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: dmvianna (dmvianna)
Assigned to: Nobody/Anonymous (nobody)
Summary: privacy hole in password reminder
Initial Comment:
Mailman sends me password reminders in plain text. I
can disable this feature, but other users can manually
make it send a reminder just as if I had forgot the
password, with no other question being asked. If smart
enough to intercept that message, the attacker could:
1) Get my password;
2) get my IP in the mail header.
Possible solutions:
1) Some sites and programs use a "secret question"
which right answer would give the user the chance to
get a password reminder.
2) The password could be prompted in a secure html
page. I find this safer, as compared to plain text mails.
----------------------------------------------------------------------
>Comment By: Mark Sapiro (msapiro)
Date: 2006-05-26 18:48
Message:
Logged In: YES
user_id=1123998
I'm not sure what IP you think would be in the email header
that isn't already publicly available via a DNS query of
your email domain, or why you think even that IP would be in
the header of an intercepted mail.
Also, when you say "If smart enough to intercept that
message", are you aware of an attack tht would enable this,
or are you just concerned that it could happen.
Finally, password reminders will go away in Mailman 2.2.
We'll try to keep your concern in mind as we work on their
replacement.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=1441723&group_id=103
More information about the Mailman-coders
mailing list