[Mailman-Users] Disabling mailman/create Web Page

Mark Sapiro mark at msapiro.net
Wed Sep 30 03:01:38 CEST 2009


Barry Finkel wrote:
>
>I was able to block access to the
>
>     mailman/create
>
>page on my Mailman test virtual machine, but the same code did not
>work on the production Mailman machine.  I have asked my Apache expert
>to look at why.
>
>On the test machine I was successful, but a Nessus scan on that
>machine still reports
>
>     Web Application Potentially Sensitive CGI Parameter Detection
>
>What other Mailman web page(s) would cause this?  Thanks.

If I correctly understand George Theall's explanation, any page that
post's CGI fields with names that look like they might be passwords.
This includes any of the admindb, admin, private and options login
pages.

I don't know enough about how Nessus works to know if it can scan pages
that can only be reached after login, but if so, probably also the
admin Passwords page and the options page itself.

Again, If I correctly understand what Nessus is doing, there would seem
to be only two ways to do this avoid these reports. Disable all web
access to Mailman or allow only https access to Mailman. For the
latter, see the FAQ at <http://wiki.list.org/x/7oA9>.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the Mailman-Users mailing list