[Mailman-Developers] [ mailman-Bugs-655079 ] Major security hole.....
noreply at sourceforge.net
noreply at sourceforge.net
Tue Dec 17 23:39:02 EST 2002
Bugs item #655079, was opened at 2002-12-17 09:13
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103
Category: security/privacy
Group: 2.0.x
Status: Closed
Resolution: Invalid
Priority: 5
Submitted By: Nicolas Weeger (ryo_saeba)
Assigned to: Nobody/Anonymous (nobody)
Summary: Major security hole.....
Initial Comment:
Just found a nice security bug:
on the main list page, you have 2 fields to enter admin
mail & password to view list subscriptions.
Well, you can just enter a valid admin password, and it'll
work !!! Even if the mail address is blank / invalid !!
----------------------------------------------------------------------
>Comment By: Nicolas Weeger (ryo_saeba)
Date: 2002-12-18 08:39
Message:
Logged In: YES
user_id=303511
Well, granted, but only if the mail is left blank !
I mean, if you put an email address, aren't you supposed to
enter YOUR password, not an admin's ?
Currently, put an admin password & ANY MAIL and it works...
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-12-17 23:52
Message:
Logged In: YES
user_id=12800
Dan's right, the admin can always read the archives and by
design doesn't need to enter an email address.
----------------------------------------------------------------------
Comment By: Dan Mick (dmick)
Date: 2002-12-17 23:35
Message:
Logged In: YES
user_id=10725
It's assumed that if you have the admin password, you're
allowed to view the archives. Why is this a security hole?
Seems perfectly appropriate to me.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103
More information about the Mailman-Developers
mailing list