[Mailman-Users] Disabling mailman/create Web Page

Barry Finkel b19141 at anl.gov
Tue Sep 29 18:05:52 CEST 2009

I wrote on Sep 4:

>>>Our cyber security group sent me notice of a vulnerability in
>>>a Mailman web page:
>>>     Web Application Potentially Sensitive CGI Parameter Detection
>>>I think it is the URL:
>>>     mailman/create

and Mark Sapiro replied:

>>If there really is a Mailman security issue, please post the details to
>>mailman-security at python.org.

and "George A. Theall" <theall at tifaware.com> replied:

>This almost certainly is from a Nessus scan - see:
>  http://www.nessus.org/plugins/index.php?view=single&id=40773
>This particular "plugin" isn't reporting a vulnerability per se (ie, its
>risk factor is "None").  Instead, it notes that the name of one or more
>parameters suggests it might be sensitive in some fashion.

>Disclaimer: I work for Tenable Network Security as Director of
>Vulnerability Research, which, among other things, is responsible for
>writing the plugins for Nessus.

I was able to block access to the


page on my Mailman test virtual machine, but the same code did not
work on the production Mailman machine.  I have asked my Apache expert
to look at why.

On the test machine I was successful, but a Nessus scan on that
machine still reports

     Web Application Potentially Sensitive CGI Parameter Detection

What other Mailman web page(s) would cause this?  Thanks.
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8             Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the Mailman-Users mailing list