[Mailman-Users] Roster security
Robert Heller
heller at deepsoft.com
Sun May 20 14:56:58 EDT 2018
At Sun, 20 May 2018 08:26:38 -0700 Mark Sapiro <mark at msapiro.net> wrote:
>
> On 05/20/2018 07:32 AM, Rubén Fernández Asensio wrote:
> > Is this by design, or is this a bug in my Mailman installation? Is there
> > any way of making the roster visible to subscribers without giving
> > access to personal option pages through it?
>
>
> One user does not have access to another user's options unless
> authenticated with a list admin password. If an ordinary user clicks
> another user's link, she only gets the options login page which can be
> gotten for any address just by knowing the address no matter how you get
> there.
>
> By making the roster visible to members you are exposing the addresses.
> Anyone can go to a url like
> http://example.com/mailman/options/listname/user@example.net to get to
> the options login page for user at example.net.
And yes the "options login page" also contains an "unsubscribe" button. But
as Mark says, you need the user's list password for anything to actually
happen.
>
> That's how mailman works. There's nothing magic about coming from the
> roster. You can't get past the login page without proper authentication.
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller at deepsoft.com -- Webhosting Services
More information about the Mailman-Users
mailing list