[Mailman-Developers] [ mailman-Bugs-655079 ] Major security hole.....

noreply at sourceforge.net noreply at sourceforge.net
Wed Dec 18 05:28:07 EST 2002 

Bugs item #655079, was opened at 2002-12-17 03:13
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103

Category: security/privacy
Group: 2.0.x
Status: Closed
Resolution: Invalid
Priority: 5
Submitted By: Nicolas Weeger (ryo_saeba)
Assigned to: Nobody/Anonymous (nobody)
Summary: Major security hole.....

Initial Comment:
Just found a nice security bug:
on the main list page, you have 2 fields to enter admin 
mail & password to view list subscriptions.
Well, you can just enter a valid admin password, and it'll 
work !!! Even if the mail address is blank / invalid !!

----------------------------------------------------------------------

>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-12-18 08:28

Message:
Logged In: YES 
user_id=12800

The admin may not be a member of the list.  The specific
rule is that if the admin password is used, the email
address is ignored.  Yes, this means security is dependent
on the secrecy of your admin password, but if that leaks out
you're going to have bigger problems than someone viewing
your private archives.

----------------------------------------------------------------------

Comment By: Nicolas Weeger (ryo_saeba)
Date: 2002-12-18 02:39

Message:
Logged In: YES 
user_id=303511

Well, granted, but only if the mail is left blank !
I mean, if you put an email address, aren't you supposed to 
enter YOUR password, not an admin's ?
Currently, put an admin password & ANY MAIL and it works...

----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-12-17 17:52

Message:
Logged In: YES 
user_id=12800

Dan's right, the admin can always read the archives and by
design doesn't need to enter an email address.

----------------------------------------------------------------------

Comment By: Dan Mick (dmick)
Date: 2002-12-17 17:35

Message:
Logged In: YES 
user_id=10725

It's assumed that if you have the admin password, you're
allowed to view the archives.  Why is this a security hole?
 Seems perfectly appropriate to me.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103

More information about the Mailman-Developers mailing list