[Mailman-Users] Roster security

Mark Sapiro mark at msapiro.net
Sun May 20 11:26:38 EDT 2018

On 05/20/2018 07:32 AM, Rubén Fernández Asensio wrote:
> Is this by design, or is this a bug in my Mailman installation? Is there
> any way of making the roster visible to subscribers without giving
> access to personal option pages through it?

One user does not have access to another user's options unless
authenticated with a list admin password. If an ordinary user clicks
another user's link, she only gets the options login page which can be
gotten for any address just by knowing the address no matter how you get

By making the roster visible to members you are exposing the addresses.
Anyone can go to a url like
http://example.com/mailman/options/listname/user@example.net to get to
the options login page for user at example.net.

That's how mailman works. There's nothing magic about coming from the
roster. You can't get past the login page without proper authentication.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list