[Mailman-Users] Edit options security flaw

Tokio Kikuchi tkikuchi at is.kochi-u.ac.jp
Tue Dec 14 01:07:15 CET 2004

Marius Amado Alves wrote:

> Sometimes version 2.1.5 lets a user A edit the options of another user B 
> as follows.
> User A consults the member list (using his name and password normally). 
> Here A picks an email address of user B. User A returns to the main 
> page, enters address of B in the Edit options slot and presses Edit 
> options. Normally Mailman requires a password, but sometimes IT DOES NOT 
> and goes straight to the editable options list page.
> I'd like to know if somebody else has experienced this behavior.

Isn't the user A also the owner of the list ?
If he have logged in at the admin page and go to options page of any 
member of the list, then the password input is passed. Go to the admin 
page and click the Logout link. Then try again for user B.

Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp

More information about the Mailman-Users mailing list