[Mailman-Users] Disabling mailman/create Web Page
George A. Theall
theall at tifaware.com
Fri Sep 4 21:09:00 CEST 2009
On Fri, Sep 04, 2009 at 09:02:58AM -0500, Barry Finkel wrote:
> Our cyber security group sent me notice of a vulnerability in
> a Mailman web page:
>
> Web Application Potentially Sensitive CGI Parameter Detection
This almost certainly is from a Nessus scan - see:
http://www.nessus.org/plugins/index.php?view=single&id=40773
This particular "plugin" isn't reporting a vulnerability per se (ie, its
risk factor is "None"). Instead, it notes that the name of one or more
parameters suggests it might be sensitive in some fashion.
> I think it is the URL:
>
> mailman/create
Probably. That form has a parameter named 'password' ("Initial list
password"), which could be sniffed if the target web server doesn't use
HTTPS.
> As I do not use that web page to create a new Mailman list, I want to
> disable that page.
Not a bad idea.
Disclaimer: I work for Tenable Network Security as Director of
Vulnerability Research, which, among other things, is responsible for
writing the plugins for Nessus.
George
--
theall at tifaware.com
More information about the Mailman-Users
mailing list