[Mailman-Developers] URGENT!!!! security problems
John Viega
John@list.org
Thu, 23 Jul 1998 10:27:08 -0700
Actually, that's a known issue. Security stuff is on our todo list,
but not much thought has gone into it yet. I hadn't actually put too
high a priority on it at this point, since you only need to trust list
administrators. It was certainly expected to be done before beta.
However, if you want it in sooner, we can move it up. Or, for an even
quicker solution, you or someone else could submit patches to either
b4, or b5, which will come out perhaps today or tomorrow, but if not,
on Monday for sure. It depends on how much time I have to do
testing...
John
On Thu, Jul 23, 1998 at 07:05:38PM +0200, Gergely Madarasz wrote:
> Hello!
>
> There are BIG security problems with mailman. For example a list
> administrator can subscribe an "email address" like this with mass
> subscribe:
>
> `touch /tmp/gotcha`
>
> Then when someone sends mail to the list, the command is executed... this
> means any list administrator can get access to user running mailman
> on the list server. I could not achieve the same when trying to
> subscribe as a normal user, but i cannot say that it is safe. This needs a
> very urgent fix.
>
> Greg
>
> Ps. thanks to Endre Hirling <endre@dawn.elte.hu> for pointing this problem
> out to me
>
> --
> Madarasz Gergely gorgo@caesar.elte.hu gorgo@linux.rulez.org
> It's practically impossible to look at a penguin and feel angry.
> Egy pingvinre gyakorlatilag lehetetlen haragosan nezni.
> HuLUG: http://www.cab.u-szeged.hu/local/linux/
>
>
> _______________________________________________
> Mailman-Developers maillist - Mailman-Developers@python.org
> http://www.python.org/mailman/listinfo/mailman-developers