[Mailman-Developers] Doubt about security

Terri Oda terri at zone12.com
Mon Jan 5 20:25:17 CET 2009


On 2009-Jan-5, at 2:03 PM, Barry Warsaw wrote:
>> I suspect the default should be to not expose those things.  I  
>> wasn't even
>> aware that list creation through the web was possible.  Based on the
>> extremely novice questions I see posted to mailman-users on  
>> occasion I
>> suspect many potential Mailman admins are unaware of this as well.   
>> I fear
>> those admins are also the ones most likely to not create strong  
>> passwords.
> Note that by default, it's not possible to create mailing lists  
> through the web even though the link exists.  You have to create a  
> site password or 'list creators' password to enable this feature.  A  
> site admin should know enough to set these passwords to something  
> strong and difficult to brute force.
> Still, the suggestions for disabling this CGI is easy enough, and if  
> you have shell access to create those passwords, you have shell  
> access to disable the CGI.

This seems like it might be more of a failure in documentation/ 
understanding than a failure in security.  All this information is  
readily available (both about the fact that you can create from the  
web by default, and the fact that this can be disabled) but obviously  
people aren't finding it or don't even know to look for it.

I'll try to poke around and figure out where to put it when I get home  
from work.  I'm guessing we could use some pointers in the install  
guides?  Or perhaps I should work up a short intro to mailman security  
for new users who don't know the likely attack points?

  Terri



More information about the Mailman-Developers mailing list