[Mailman-Users] someone unsubscribed someone else by web w/o password
Andreas Schamanek
schamanek at gmx.net
Sat May 11 14:07:36 CEST 2002
Hi folks,
I am not yet absolutely sure about what has happened exactly. But
at the moment all looks like somebody was able to unsubscribe a list's
member without knowing this member's password. My web logs show access
POST /mailman/subscribe/mylist-l
POST /mailman/handle_opts/mylist-l/someone at gmx.net
and immediately afterwards Mailman unsubscribed someone at gmx.net.
Because I know the person behind someone at gmx.net personally, I have to
consider this whole thing as a fraud. I have also checked the password
of someone at gmx.net, that was "uxgovo" which I consider unguessable :/
Have I missed a security fix? I am using MM 2.0.6, Python 2.0 and
Apache 1.3.19. I know that 2.0.6 is too old but I did not know that it
was vulnerable to such a nasty thing. Is it?
TIA,
-- Andreas
More information about the Mailman-Users
mailing list