[Mailman-Users] virtual domain list disclosure and list email linkissue
Dennison Williams
dennison.williams at gmail.com
Fri Apr 16 20:01:19 CEST 2010
Thanks for your prompt response and your work on mailman.
Mark Sapiro wrote:
> Dennison Williams wrote:
>
>> The first is that even though I have "VIRTUAL_HOST_OVERVIEW = Yes" in
>> my Mailman/mm_cfg.py file I am still able to disclose other lists on
>> other domains through the url:
>> http://<virtual_domain>/mailman/listinfo/<list_name_not_in_virtual_domain>.
>> There must be a another way around this, if not it should be considered
>> a minor security flaw. Can anyone point me in the right direction for
>> preventing this?
>>
>
>
> VIRTUAL_HOST_OVERVIEW controls what it's name implies, i.e. what lists
> appear on the listinfo and admin overview page. It is true, that by
> trying URLs such as you give above, that one could confirm the
> existence of a list in another domain and find its domain name from
> its listinfo page. If this is really a security issue for you, there
> are two choices.
>
> 1) Modify all the Mailman/Cgi/*.py modules along the lines of the
> attached listinfo.patch.txt, or
>
> 2) Install a separate Mailman instance for each domain.
>
>
>
OK. I think the proper method for this installation is separate mailman
installations.
>> The second issue is that all emails from the list are coming with links
>>
> >from the wrong domain. How can I get these links to reflect the domain
>
>> that the lists are for?
>>
>
>
> Web links or email links? If the web links are wrong, the lists must
> also appear on the wrong listinfo overview page. In any case, make
> sure every host has a correct
>
> add_virtualhost('hosts.web.domain', 'hosts.email.domain')
>
> in mm_cfg.py. Then run Mailman's
>
> bin/withlist -l -r fix_url listname -u web.host.for.this.list
>
> for every list. This will fix both web and email domains. Or, if the
> problem is only email domains, you can go to the web admin General
> Options page for every list and set the correct host_name attribute
> near the bottom of the page.
>
The issue was the link supplied in the bottom of emails from lists.
Your advise partially helped me fix it. The pointer to use seperate
email domains though is the solution that will properly solve this for
me. Thanks again.
More information about the Mailman-Users
mailing list