[Mailman-Developers] Doubt about security

Barry Warsaw barry at list.org
Mon Jan 5 17:50:36 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:

> I think Barry misunderstood which links you are talking about.

Yep.  Thanks, I just re-read the OP (in post-coffee mode :), so now I  
get it.

> The links on the list admin overview page to lists really reveal
> nothing but the names of public lists on the server. These are already
> available on the listinfo overview page and anyone who knows even a
> little bit about Mailman can easily construct admin or admindb links
> from the listinfo links. If you are concerned about revealing this,
> make all your lists advertised = No.
>
>> An random example: The official MailMan mailing list. Follow my
>> steps:
>>
>> 1 - Open this link: http://mail.python.org/mailman/admin
>>
>> 2 - After, click in "create a new mailing list"
>
>
> Likewise, anyone with even a little knowledge of Mailman can figure  
> out
> the URL to the create CGI.
>
> The answer is to use strong passwords, and if you are really  
> concerned,
> don't advertise any lists and remove Mailman's cgi-bin/create wrapper
> so lists can't be created from the web, or alternatively just don't
> set site admin or list creator passwords or remove data/adm.pw and
> data/creator.pw to remove those set previously.

Mark's suggestions are spot on.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP
5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT
=A81I
-----END PGP SIGNATURE-----


More information about the Mailman-Developers mailing list