[Mailman-Users] Is mailman vulnerable to the httpoxy bug?
Mark Sapiro
mark at msapiro.net
Fri Jul 22 12:48:34 EDT 2016
On 07/22/2016 08:55 AM, Perry E. Metzger wrote:
> On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <mark at msapiro.net>
>>
>> I am not an expert on httpoxy at all, but quoting from
>> <https://httpoxy.org/#top>
>>
>> "httpoxy is a vulnerability for server-side web applications. If
>> you’re not deploying code, you don’t need to worry."
>>
>> Mailman's web UI serves end user HTML pages. It does not deploy
>> code.
>>
>
> Er, it uses CGI scripts, doesn't it? That's what it means to "deploy
> code" in this context.
That's not the way I read it, but if you think that's the case, then
you've already decided that Mailman 2.1 is vulnerable depending on the
specific web server configuration. GNU Mailman has no control over how
you set up your web server to serve Mailman's CGI output, so your
question should be "is my web server configuration vulnerable?".
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list