[Mailman-Users] MM admin interface wide open

Ulf Hofemeier ulf at ladb.unm.edu
Thu Aug 27 01:32:28 CEST 2009


Logout won't remove the cookie if there is one, but I doubt there is.  
ALLOW_SITE_ADMIN_COOKIES is set to NO. I compiled MM 2.1.12 from the  
Ulf Hofemeier
Programmer / Analyst II
Latin American and Iberian Institute
ulf at ladb.unm.edu

On Aug 26, 2009, at 5:15 PM, Mark Sapiro wrote:

> Ulf Hofemeier wrote:
>> I'm using MM 2.1.12 and am running into a problem that is rather  
>> nasty.
>> In my case the MM admin interface is wide open, which means that I  
>> don't
>> need a site admin pwd to access http://mydomain/mailman/admin/ 
>> mylist. I
>> can click on logout and it will take me to the logout page, but  
>> simply
>> removing /logout from the URL will load the admin interface again.
>> Deleting the cookie doesn't help, closing the browser doesn't help.  
>> Oh,
>> yeah. The admin interface is accessible via Google as well.
> Do you allow site admin cookies and do you have one?
> Logout will remove the list admin cookie, but if you allow site admin
> cookies and you have logged in with the site password, logout won't
> remove that cookie.
> This doesn't sound like that's the issue in your case however, and it
> certainly isn't normal. Is this MM 2.1.12 installed from source or
> from a vendor package? If a package, which one? Any patches?
> Note that it is normal for the admin login page for a public list to  
> be
> indexed in google, but google's crawlers and people coming from google
> shouldn't be able to get past the login page without the password.
>> PS. if you email me, I can provide you with the URL to my MM  
>> installation.
> If you send it to me, I'll check it out.
> -- 
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list