[Mailman-Users] Possible Security Issue with Mailman v1.1 and 2.0.5
Chuq Von Rospach
chuqui at plaidworks.com
Sun Jul 15 00:03:17 CEST 2001
It's a debugging thing. Look in ~mailman/scripts/driver for STEALTH_MODE. It
should be set to 1, which disables the traceback to the web page.
This is really a none-issue for anyone who cares -- and debugs their
installation. Just turn STEALTH_MODE to 1, and the tracebacks only go to the
logs.
On 7/14/01 8:38 AM, "Joshua Jore" <moomonk at daisy-chan.org> wrote:
> Huh. I'm only a user of mailman but this doesn't do anything to my host
> using Mailman 2.0.5. This is pretty much a default install with a single
> group. Isaac, can you tell us more detail on when this happens?
>
> Josh
>
> On Sat, 14 Jul 2001, isaac dawson wrote:
>
>> Hello,
>> My name is Isaac Dawson and I work for a security auditing company. When
>> working on a client who uses your mailman program, I noticed any
>> un-authenticated user can spill the environment variables of the host.
>> Case and Point: http://mailman.list.org/mailman/edithtml
>> This may not seem like much, but it will give an attacker much more
>> information about what is installed, the path, and the OS. I will be
>> submitting this bug to securityfocus.com but only after I notify you. Please
>> respond ASAP!
>> Thank you,
>> Isaac Dawson
>> Security Engineer
>> Athena Group, Inc
>> p:781.641.1310 x 205
>>
>>
>
>
> ------------------------------------------------------
> Mailman-Users maillist - Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
>
--
Chuq Von Rospach, Internet Gnome <http://www.chuqui.com>
[<chuqui at plaidworks.com> = <me at chuqui.com> = <chuq at apple.com>]
Yes, yes, I've finally finished my home page. Lucky you.
You know, I Remember When I Used To Speak In Capitals, Too. It's addictive.
It also encourages people to poke sticks at you. Justifiably. (chuq, 1992)
More information about the Mailman-Users
mailing list