[Mailman-Developers] Doubt about security
Dan Mahoney, System Admin
danm at prime.gushi.org
Mon Jan 5 15:34:47 CET 2009
On Mon, 5 Jan 2009, Edilson Azevedo wrote:
> Hi Barry and Thank to answer!
>
> You said "should". But in 95% of the lists that I look, those links are
> always open. An random example: The official MailMan mailing list. Follow my
> steps:
>
> 1 - Open this link: http://mail.python.org/mailman/admin
>
> 2 - After, click in "create a new mailing list"
>
> 3 - You can try to create a new list until discover the corret password (if
> you don't know). But, if you dont know the password, you can try to use a
> bruteforce. They are very easy to find and very, very, very easy to use.
> Sometimes they work very well.. hehehe.
>
>
> Again: Anyone in anywhere can try to create a new list. It's correct??!!
>
> Thanks Barry!!!
>
> P.S.: Try those same steps in othes Mailing Lists Sites. Always work!
Allow me to chime in and ask how this would be different if the form were
behind a login screen? Or any form at all? You can "brute force" any
screen in mailman and afaik there's no timeout or backoff interval.
I see this as a non-issue, personally, but I do think it looks bad, and
think that screen should in a perfect world only be shown ONLY if there is
a "list creator" password with no other privileges (but then, if that was
the behavior, it would leak that fact).
Just my 0.02.
-Dan
More information about the Mailman-Developers
mailing list