[Mailman-Users] Privay options.

Harald Meland Harald.Meland at usit.uio.no
Sun Jun 13 19:36:30 CEST 1999

[David Sean McNicholl]

> hi,
> 	I have a password protected list. I use administrator confirmation
> of posts. Last night someone was able to modify my pages to remove this
> option. Could they have done this without the password ?

Unfortunately, there is a security flaw in all Mailman versions up to
and including 1.0rc1.  The security flaw has been fixed in CVS, and
I'm hoping there will be a new release shortly.

> How can I check ?

If the security flaw is what's been used to get in, the breakin is
neither easily traceable -- as the flaw is due to a misdesign in
Mailman's cookie authentication.  Your web server access logs might
contain some hints.

More information about the Mailman-Users mailing list