[Mailman-Users] Umbrella List + Monthly Password Reminders = ListSecurity Issue?
Mark Sapiro
msapiro at value.net
Thu Jun 1 16:35:21 CEST 2006
Mike Brudenell wrote:
>
>All the documentation I've read and help pages I've managed to locate give
>no clue of this behaviour. Instead they strongly imply that by setting the
>umbrella_list setting to YES that "password reminders" are sent to the
>list's owners by adding the specified suffix (typically "-owner") to each
>member's address.
>
>I'm now wondering if this is actually referring only to the "Please remind
>me of my password" link, not the monthly reminder. If so then a huge
>warning needs adding to the FAQ and documentation about umbrella lists
>advising admins NOT to turn on the monthly reminders for umbrella lists in
>order to avoid this big security issue.
>
>Or am I missing something/have something misconfigured?
I think you are correct. I think cron/mailpasswds should be fixed. I
don't know how this has been ignored for so long.
In the mean time, I think the following (Warning - totally untested and
watch out for wrapped lines) patch will fix it.
--- mailpasswds 2006-04-15 17:38:24.000000000 -0700
+++ mailpasswdsx 2006-06-01 07:30:07.843750000 -0700
@@ -162,6 +162,8 @@
optionsurl = mlist.GetOptionsURL(member)
lang = mlist.getMemberLanguage(member)
info = (listaddr, password, optionsurl, lang)
+ if mlist.umbrella_list:
+ member = mlist.GetMemberAdminEmail(member).lower()
userinfo.setdefault(member, []).append(info)
# Now that we've collected user information for this host,
send each
# user the password reminder.
--
Mark Sapiro <msapiro at value.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list