[Mailman-Users] Possible Security Issue with Mailman v1.1 and 2.0.5

Chuq Von Rospach chuqui at plaidworks.com
Sun Jul 15 00:03:17 CEST 2001

It's a debugging thing. Look in ~mailman/scripts/driver for STEALTH_MODE. It
should be set to 1, which disables the traceback to the web page.

This is really a none-issue for anyone who cares -- and debugs their
installation. Just turn STEALTH_MODE to 1, and the tracebacks only go to the

On 7/14/01 8:38 AM, "Joshua Jore" <moomonk at daisy-chan.org> wrote:

> Huh. I'm only a user of mailman but this doesn't do anything to my host
> using Mailman 2.0.5. This is pretty much a default install with a single
> group. Isaac, can you tell us more detail on when this happens?
> Josh
> On Sat, 14 Jul 2001, isaac dawson wrote:
>> Hello,
>> My name is Isaac Dawson and I work for a security auditing company. When
>> working on a client who uses your mailman program, I noticed any
>> un-authenticated user can spill the environment variables of the host.
>> Case and Point: http://mailman.list.org/mailman/edithtml
>> This may not seem like much, but it will give an attacker much more
>> information about what is installed, the path, and the OS. I will be
>> submitting this bug to securityfocus.com but only after I notify you. Please
>> respond ASAP!
>> Thank you,
>> Isaac Dawson
>> Security Engineer
>> Athena Group, Inc
>> p:781.641.1310 x 205
> ------------------------------------------------------
> Mailman-Users maillist  -  Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
Chuq Von Rospach, Internet Gnome <http://www.chuqui.com>
[<chuqui at plaidworks.com> = <me at chuqui.com> = <chuq at apple.com>]
Yes, yes, I've finally finished my home page. Lucky you.

You know, I Remember When I Used To Speak In Capitals, Too. It's addictive.
It also encourages people to poke sticks at you. Justifiably. (chuq, 1992)

More information about the Mailman-Users mailing list