[Mailman-Users] MM admin interface wide open

Mark Sapiro mark at msapiro.net
Thu Aug 27 01:15:38 CEST 2009

Ulf Hofemeier wrote:
>I'm using MM 2.1.12 and am running into a problem that is rather nasty.
>In my case the MM admin interface is wide open, which means that I don't
>need a site admin pwd to access http://mydomain/mailman/admin/mylist. I
>can click on logout and it will take me to the logout page, but simply
>removing /logout from the URL will load the admin interface again.
>Deleting the cookie doesn't help, closing the browser doesn't help. Oh,
>yeah. The admin interface is accessible via Google as well.

Do you allow site admin cookies and do you have one?

Logout will remove the list admin cookie, but if you allow site admin
cookies and you have logged in with the site password, logout won't
remove that cookie.

This doesn't sound like that's the issue in your case however, and it
certainly isn't normal. Is this MM 2.1.12 installed from source or
from a vendor package? If a package, which one? Any patches?

Note that it is normal for the admin login page for a public list to be
indexed in google, but google's crawlers and people coming from google
shouldn't be able to get past the login page without the password.

>PS. if you email me, I can provide you with the URL to my MM installation.

If you send it to me, I'll check it out.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list