[Mailman-Users] Mailman directory located in public HTML directory

Mark Sapiro mark at msapiro.net
Tue Dec 17 19:01:32 CET 2013

On 12/17/2013 06:46 AM, Jon 1234 wrote:
> When I installed Mailman 2.14 I put it in the domain.com/mailman/ directory. This is because Mailman is accessed via domain.com/mailman/ and I thought the files had to be there...
> It does work but is this a potential security problem? What would be the best way to fix this?

Whether or not this is a security issue depends on your web server.
There are files that contain potentially sensitive information that are
world readable and/or readable by the web server. In particular, private
archives may be sensitive, Mailman/mm_cfg.py can contain
SUBSCRIBE_FORM_SECRET and possibly other sensitive information and
lists/*/config.pck files may be owned by the web server depending on how
they were last updated and they contain membership data.

However, typically, URLs of the form http://domain.com/mailman/... (http
GETs and POSTS of /mailman/...) are processed by the web server via some
script alias that invokes a mailman/cgi-bin/ program to process the
request. Thus, files in the domain.com/mailman/ directory should not be
directly retrievable by an http GET, but if they are, it's an issue.
Thus the normal recommendation is to install Mailman in a directory
outside the web server's normal accessible structure.

If you want to fix it, stop Mailman, rerun configure and make install,
move the lists/ and archives/ directories to the new location. Update
the Mailman stuff in your web server and maybe MTA (or maybe run
bin/genaliases) and start Mailman.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list