[Mailman-Users] Mailman Security.

Barry A. Warsaw barry at python.org
Wed Feb 5 15:08:59 CET 2003

>>>>> "d" == dino  <dinouk at orange.net> writes:

    d> I was just wondering what kind of security mailman offers, as
    d> far as protecting user passwords goes?

User passwords are considered a lower value asset, so while it should
not be possible for unauthorized users or list admins to get them,
they can still be transmitted in the clear (either via the monthly
reminders -- which can be turned off, or by unprotected http login).

To support the monthly reminders, user passwords are kept in the
database in cleartext.  Anyone with shell access and permissions to
the Mailman installation can get them.

    d> A techy friend of mine has just kindly emailed me a list of all
    d> users and their passwords! Looking at my server logs it would
    d> appear that he snuck in somehow via anonymous ftp.

This must have been a local system vulnerability.  Mailman doesn't use
ftp, anonymous or otherwise.

    d> Would closing the anon. ftp service stop mailman working in
    d> anyway, or dya reckon he got in some place else?

On your system, sure, if that's how he got in.  But this isn't an
attack inherent to Mailman, AFAIK.


More information about the Mailman-Users mailing list