[Mailman-Developers] Doubt about security

Mon Jan 5 18:27:26 CET 2009

Ok... thanks to all!!!

 But, I've a last doubt: Which the advantage in keep the creation of lists
open for the world? what would be the real advantage? I need to understand
before block the access.

THANKS!!!!!

On Mon, Jan 5, 2009 at 2:50 PM, Barry Warsaw <barry at list.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
>
>  I think Barry misunderstood which links you are talking about.
>>
>
> Yep.  Thanks, I just re-read the OP (in post-coffee mode :), so now I get
> it.
>
>  The links on the list admin overview page to lists really reveal
>> nothing but the names of public lists on the server. These are already
>> available on the listinfo overview page and anyone who knows even a
>> little bit about Mailman can easily construct admin or admindb links
>> from the listinfo links. If you are concerned about revealing this,
>> make all your lists advertised = No.
>>
>>  An random example: The official MailMan mailing list. Follow my
>>> steps:
>>>
>>> 1 - Open this link: http://mail.python.org/mailman/admin
>>>
>>> 2 - After, click in "create a new mailing list"
>>>
>>
>>
>> Likewise, anyone with even a little knowledge of Mailman can figure out
>> the URL to the create CGI.
>>
>> The answer is to use strong passwords, and if you are really concerned,
>> don't advertise any lists and remove Mailman's cgi-bin/create wrapper
>> so lists can't be created from the web, or alternatively just don't
>> set site admin or list creator passwords or remove data/adm.pw and
>> data/creator.pw to remove those set previously.
>>
>
> Mark's suggestions are spot on.
>
> - -Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP
> 5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT
> =A81I
> -----END PGP SIGNATURE-----
>

-- 
Atenciosamente,

Edilson Azevedo
(19) 3787-3312
(12) 8156-5590
Mail / Gtalk: eazevedo at bsd.com.br