[Mailman-Users] MM admin interface wide open
cite+mailman-users at incertum.net
Thu Aug 27 12:59:43 CEST 2009
* Mark Sapiro <mark at msapiro.net>:
> Mark Sapiro wrote:
> >Ulf Hofemeier wrote:
> >>PS. if you email me, I can provide you with the URL to my MM installation.
> >If you send it to me, I'll check it out.
> After a little off list back and forth, Ulf wrote:
> >I had no site admin password set. Setting one with mmsitepass did the
> >trick. Thank you for pointing this out. Maybe it would be worthwhile
> >to add a line of code that checks whether a site admin pass has been
> >set for future versions? I tried to find a solution for my problem on
> >your mailman-user list, but couldn't. I have a hard time believing
> >that I'm the only one who has run into this problem though.
> >Thank you for looking into it. Great support and I appreciate it :-)
> Not having ever set a site password should not cause this problem. If
> the password was never set, there would be no data/adm.pw file at all
> and authenticating the site password should fail.
> I think this issue could only occur if at some point someone actually
> set a null site password.
> Still, it's worth fixing it so that a null password doesn't work. I
> can't see that anyone would actually want passwordless access to the
> admin interface except maybe in the case of a server that was not
> exposed on the internet al all, but probably not even then.
> Does anyone need to have null passwords work in Mailman?
I could only think of a corporate server, where the directories
containing Mailman's admin interface are protected by e.g.
Kerberos/LDAP (i.e. Active Directory).
More information about the Mailman-Users