[Mailman-Users] Mailman Password Completion Vulnerability
Barry Finkel
b19141 at anl.gov
Thu Nov 5 22:35:42 CET 2009
My Mailman 2.1.12 server was flagged with a low-risk vulnerability:
42057 Web Server Allows Password Auto-Completion
and I cannot tell from the description what URLs have this
vulnerability, nor do I know how to correct it. I know little
about apache. One Google search at this URL
https://developer.mozilla.org/en/How_to_Turn_Off_Form_Autocompletion
shows:
--------
For example, a typical form element line with autocompletion turned off
might look like the following:
<form name="form1" id="form1" method="post" autocomplete="off"
action="http://www.example.com/form.cgi">
[...]
</form>
This form attribute is not part of any web standards but was first
introduced in Microsoft's Internet Explorer 5. Netscape introduced it
in version 6.2 -- in prior versions, this attribute is ignored. The
autocomplete attribute was added at the insistance of banks and card
issuers -- but never followed through on to reach standards
certification.
--------
Am I correct in assuming that in order to "fix" this, I would have to
go to directory
/etc/mailman/en
and modify these HTML files that contain the string "password":
admlogin.html contains "<FORM METHOD=POST ACTION="%(path)s">"
listinfo.html contains "<MM-Roster-Form-Start>"
options.html contains "<MM-Form-Start>"
and the place where the two "Form-Start" strings are defined,
In ther long run, is the change worth making? Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the Mailman-Users
mailing list