[Mailman-Developers] Found a privacy loophole...

claw@kanga.nu claw@kanga.nu
Sun, 28 Nov 1999 22:34:18 -0800

On Thu, 25 Nov 1999 17:30:03 -0600 (CST) 
Rick Niess <rniess@netserver3.otr.usm.edu> wrote:

> Hi All, I just noticed something.  I have some lists which are
> "private", so they don't show up in the index of lists that
> listinfo generates. However, if you follow the link to the "list
> admin overview page", it shows all the list names.  Not terribly
> useful to the average web browser, but to someone who knows about
> mailman...

The most they can find out from the admin page without a list
password is the fact that a name exists and thereby the knowledge of
how to send administration and attempted post messages to the list.

If that is a problem, then you have larger problems in that you are
implicitly relying on security thru obscurity.  There is nothing
that that web page can tell anybody that someone merely watching the
mail traffic in and out of your site can't also determine.

J C Lawrence                                 Home: claw@kanga.nu
----------(*)                              Other: coder@kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--