[Mailman-Users] Disabling mailman/create Web Page

George A. Theall theall at tifaware.com
Fri Sep 4 21:09:00 CEST 2009

On Fri, Sep 04, 2009 at 09:02:58AM -0500, Barry Finkel wrote:

> Our cyber security group sent me notice of a vulnerability in
> a Mailman web page:
>      Web Application Potentially Sensitive CGI Parameter Detection

This almost certainly is from a Nessus scan - see:


This particular "plugin" isn't reporting a vulnerability per se (ie, its
risk factor is "None").  Instead, it notes that the name of one or more
parameters suggests it might be sensitive in some fashion.

> I think it is the URL:
>      mailman/create

Probably.  That form has a parameter named 'password' ("Initial list
password"), which could be sniffed if the target web server doesn't use

> As I do not use that web page to create a new Mailman list, I want to
> disable that page.  

Not a bad idea.

Disclaimer: I work for Tenable Network Security as Director of
Vulnerability Research, which, among other things, is responsible for
writing the plugins for Nessus. 

theall at tifaware.com

More information about the Mailman-Users mailing list