[Mailman-Developers] [ mailman-Bugs-655079 ] Major security hole.....
noreply at sourceforge.net
noreply at sourceforge.net
Wed Dec 18 05:28:07 EST 2002
Bugs item #655079, was opened at 2002-12-17 03:13
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103
Category: security/privacy
Group: 2.0.x
Status: Closed
Resolution: Invalid
Priority: 5
Submitted By: Nicolas Weeger (ryo_saeba)
Assigned to: Nobody/Anonymous (nobody)
Summary: Major security hole.....
Initial Comment:
Just found a nice security bug:
on the main list page, you have 2 fields to enter admin
mail & password to view list subscriptions.
Well, you can just enter a valid admin password, and it'll
work !!! Even if the mail address is blank / invalid !!
----------------------------------------------------------------------
>Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-12-18 08:28
Message:
Logged In: YES
user_id=12800
The admin may not be a member of the list. The specific
rule is that if the admin password is used, the email
address is ignored. Yes, this means security is dependent
on the secrecy of your admin password, but if that leaks out
you're going to have bigger problems than someone viewing
your private archives.
----------------------------------------------------------------------
Comment By: Nicolas Weeger (ryo_saeba)
Date: 2002-12-18 02:39
Message:
Logged In: YES
user_id=303511
Well, granted, but only if the mail is left blank !
I mean, if you put an email address, aren't you supposed to
enter YOUR password, not an admin's ?
Currently, put an admin password & ANY MAIL and it works...
----------------------------------------------------------------------
Comment By: Barry A. Warsaw (bwarsaw)
Date: 2002-12-17 17:52
Message:
Logged In: YES
user_id=12800
Dan's right, the admin can always read the archives and by
design doesn't need to enter an email address.
----------------------------------------------------------------------
Comment By: Dan Mick (dmick)
Date: 2002-12-17 17:35
Message:
Logged In: YES
user_id=10725
It's assumed that if you have the admin password, you're
allowed to view the archives. Why is this a security hole?
Seems perfectly appropriate to me.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103
More information about the Mailman-Developers
mailing list