[Mailman-Users] Roster security

Mark Sapiro mark at msapiro.net
Mon May 21 11:10:42 EDT 2018


On 05/21/2018 12:27 AM, Rubén Fernández Asensio wrote:
> 
> Yeah, I'm aware that only the concerned subscriber will receive the
> password reminder and the unsubscribe confirmation, so there's no
> security hole, but anyway it puzzles me that subscribers can "spam" each
> other this way.
> 
> But if it's supposed to be this way, I guess I'll have to live with it.


Anyone from anywhere can go to the options login page for any user. It
has to be that way. If it weren't, users could not go to their own
options login page.

There is nothing special about going to a user's options login page from
the roster, and removing that link from the roster would not offer any
real protection against someone going to someone else's options login page.

Also, removing the Unsubscribe and Remind buttons from login page
creates real problems for users who've forgotten their password.

I.e., there are good reasons why it is the way it is, and there are no
plans to change it.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list