[Mailman-Users] Bug found in Mailman 2.1Beta
Barry A. Warsaw
barry at zope.com
Fri May 3 06:02:52 CEST 2002
>>>>> "DT" == Danny Terweij <danny at terweij.nl> writes:
DT> When you go to :
DT> http://yourdomain.com/mailman.listinfo/[listname] You as
DT> normal member, knows a member email adres from that list and
DT> write that email adres at the input field :
DT> To unsubscribe from [listname], get a password reminder, or
DT> change your subscription options enter your subscription email
DT> address:
DT> [ a.member at domain.com ] {unsubscribe or edit options}
DT> If you leave the field blank, you will be prompted for your
DT> email address
DT> You can just edit a other member's options and can even change
DT> the password.
DT> Please this is not a good situation.
DT> Not me discovered it, but a member from a list.
This is not how it works in MM2.1. Are you sure you're not already
authenticated to the list with the list owner's password? Go to the
admin page for the list and hit "Log out" to be sure.
If you type in a random member's address in the "Unsubscribe or edit
options" field, you will be presented with a log in page. You cannot
even view the user's options without logging in. You can, however,
request a password reminder, or initiate the first part of a mailback
unsubscribe confirmation sequence. Depending on the privacy settings
of the list, the exact contents of the login page will differ
slightly, so that at the most paranoid setting you won't even be told
whether the address you entered is even a member of the list or not.
-Barry
More information about the Mailman-Users
mailing list