[Mailman-Developers] Doubt about security

[Mark Sapiro]

Barry Warsaw wrote:
>
>On Jan 5, 2009, at 1:12 PM, skip at pobox.com wrote:
>
>> I suspect the default should be to not expose those things.  I  
>> wasn't even
>> aware that list creation through the web was possible.  Based on the
>> extremely novice questions I see posted to mailman-users on occasion I
>> suspect many potential Mailman admins are unaware of this as well.   
>> I fear
>> those admins are also the ones most likely to not create strong  
>> passwords.
>
>Note that by default, it's not possible to create mailing lists  
>through the web even though the link exists.  You have to create a  
>site password or 'list creators' password to enable this feature.  A  
>site admin should know enough to set these passwords to something  
>strong and difficult to brute force.
>
>Still, the suggestions for disabling this CGI is easy enough, and if  
>you have shell access to create those passwords, you have shell access  
>to disable the CGI.


As Barry points out, the door is neither open nor easily opened by
default.

Also, in a default installation, alias generation is manual, and
creating a list from the web is not sufficient to make it work.

Further, I think this whole list create issue is a red herring. If I
were a black-hat looking to create a list on your server to use for my
own nefarious purposes, I think I'd use my dictionary attack to try to
access the admin interface of an existing list where the password is
more likely to be weak. Once I have the admin password for an existing
list, I can do anything with that list that I might have done with a
new list, and incidentally do more damage to the installation (or at
least that one list) in the process.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan