[Mailman-Users] Mailman Password Completion Vulnerability

Mark Sapiro mark at msapiro.net
Fri Nov 6 00:09:49 CET 2009

Barry Finkel wrote:
>Am I correct in assuming that in order to "fix" this, I would have to
>go to directory
>     /etc/mailman/en
>and modify these HTML files that contain the string "password":
>     admlogin.html    contains "<FORM METHOD=POST ACTION="%(path)s">"
>     listinfo.html    contains "<MM-Roster-Form-Start>"
>     options.html     contains "<MM-Form-Start>"
>and the place where the two "Form-Start" strings are defined,
>In ther long run, is the change worth making?  Thanks.

It is more complex than that, but do you want to do it? If I understand
correctly, the consequences will be that at least simple, web browser
password managers will not remember these passwords for their users.

There is a downside to not disabling browser password management in
that a user at a public work station can allow a browser to remember a
password and this is bad, but whether this is something worth
disabling all password management for is something you need to

If you want to do it, the places where Mailman accepts passwords are:

- the admin and admindb login pages which are built from the
admlogin.html template

- the private archive login page which is built from the private.html

- the user options login page which is hard coded in the loginpage()
function in Mailman/Cgi/options.py

- the roster request form on the listinfo page built using the
<MM-Roster-Form-Start> tag on the listinfo.html template.

- the subscribe form on the listinfo page built using the
<MM-Subscribe-Form-Start> tag on the listinfo.html template.

- the password change fields which are part of the entire, multi-button
form on the user options page using the <MM-Form-Start> tag.

You do not edit templates in the various templates/en/, etc.
directories. If you want to make site wide edited templates, you put
them in directories named templates/site/en/, etc. See the FAQ at

All the various <MM-*Form-Start> tags are ultimately processed by the
FormatFormStart() method defined in Mailman/HTMLFormatter.py

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list