[ mailman-Bugs-209499 ] Security hole: passwords mailed in clear

Thu Mar 1 19:44:01 CET 2007

Bugs item #209499, was opened at 2000-07-13 20:26
Message generated for change (Comment added) made by msapiro
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=209499&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Closed
Resolution: Wont Fix
Priority: 5
Private: No
Submitted By: L. Peter Deutsch (lpd)
Assigned to: Nobody/Anonymous (nobody)
Summary: Security hole: passwords mailed in clear

Initial Comment:
I recently signed up on a SourceForge mailing list. The software mailed a confirmation notice to my mailbox, with the password in clear in the message. This is a basic security hole. I reported this as a SourceForge bug, and they said &quot;Contact the gnu-mailman project.&quot;

In my opinion, passwords should never be mailed in clear, especially not to the e-mail address with which they are associated. Please consider changing this.

----------------------------------------------------------------------

>Comment By: Mark Sapiro (msapiro)
Date: 2007-03-01 10:44

Message:
Logged In: YES 
user_id=1123998
Originator: NO

This will finally be fixed in Mailman 2.2.

----------------------------------------------------------------------

Comment By: Benjamin Blümchen (bburkhart)
Date: 2006-11-26 11:23

Message:
Logged In: YES 
user_id=597317
Originator: NO

Hello everyone,

to me, mailing passwords in clear text is never acceptable. In some
setups. one never knows who else is looking at the mail.

The lack of biological RAM in layer 8 is also not an excuse. There are
better ways of dealing with the password remembering problem.

Anyway, mailman is now out of question and also uninstalled from my
machine.

Cheers
Benjamin

----------------------------------------------------------------------

Comment By: L. Peter Deutsch (lpd)
Date: 2000-07-23 23:31

Message:
It's OK with me if you want to close this report; in my opinion, the
Resolution should say &quot;Wont fix&quot;.

----------------------------------------------------------------------

Comment By: Thomas Wouters (twouters)
Date: 2000-07-17 02:43

Message:
The Mailman password is in no way a secure password. Mailman is intended
for a wide variety of users, most of which are unable to remember even the
simplest password ;)

The Mailman password is not used as an authentication method, but more as
a *confirmation* method. You'll get a password reminder every month or so
(if the list admin and site admin enabled that) and the only thing you use
the password for are for unsubscribing, changing your options and viewing
the private archive (if any.)

In future versions of Mailman it might be possible to use external
passwords for mailinglist subscribers, but currently the infrastructure for
that is missing. It's on the TODO list, in any case :)

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=209499&group_id=103