[Mailman-Users] ack! security bug and question.

Listwrangler listwrangler at iximd.com
Wed Sep 22 19:19:52 CEST 1999

While resetting my subscriptions to digest, I decided to experiment a bit.
I notice that you only have to enter an email address in order to get
access to the page of edit options -- no password needed.

Thus if you're wondering if a particular individual is subscribed to a
particular list, you can type in their name and get their edit page. Which
is confirmation that they are subscribed. For certain lists, that would be
a confidentiality issue. It is for several of my lists. I have set the
configuration to hide membership list...

But... I typed in the address of a person I know is subscribed, and poof! I
got their edit page -- without having to enter a password. So now if I know
an email addy I can confirm whether a person is a member of an email list
or not -- even if the administrator has hidden the membership list.

My question is this: if a user has clicked to hide his list membership, can
somebody who knows their email addy click into their subscription page and
see their info? My ISP flooded and burned and still hasn't fixed it so that
I can get into the admin pages, so I can't fiddle around testing it.

Since most users don't have this much subtlety when it comes to security,
wouldn't it be better to require the password *before* allowing people to
access their edit page?

Basically, if you know some one's email, and have an idea of their area of
interests, you can scope our their mailing list memberships.  Most people
don't care, but some do. I have members that do. They aren't
technologically skilled enough to have detected this gap in their privacy,
and I now have an ethical question: Tell them, and have them flip out? Or
decide that understanding the software is their obligation, not mine, and
it's not my responsibility to decide if their confidentiality needs have
been met?

So I really need to know exactly how this stuff works in order to make a
management decision.

I suppose some might think this is a trivial concern, but once in a while
we do get somebody with a personal vendetta trying to cause crap for us or
one of our users. In each case the malicious person was, in my humble
opinion, a fruitcake, but one of them was actually a technically competent
fruitcake. My organization operates in the field of mental health and civil
rights, so lunatics and bigots are an occupational hazard. Prevention is
the best disaster recovery plan of all.


listwrangler at iximd.com
List administrator and webmaster

For help with subscribe/unsubscribe, troubleshooting, or more info about
The American Boyz email lists, please visit:
home.iximd.com/~amboyz/online.html, or request a copy of the Amboyz Elist
Help File to be emailed to you.

If you are familiar with Mailman, the following lists are implemented with
Mailman and use standard Mailman features: Amboyz-Main, Amboyz-Announce,
TrueSpirit, and ElderTG

The American Boyz, Inc. (not-for-profit)
212A S. Bridge St, #131, Elkton, MD, 21921
FAX: 410-620-2024; URL: home.iximd.com/~amboyz; EMAIL: amboyz at iximd.com

More information about the Mailman-Users mailing list