[Mailman-Developers] Doubt about security
Edilson Azevedo
eazevedo at bsd.com.br
Mon Jan 5 15:12:32 CET 2009
Hi Barry and Thank to answer!
You said "should". But in 95% of the lists that I look, those links are
always open. An random example: The official MailMan mailing list. Follow my
steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
3 - You can try to create a new list until discover the corret password (if
you don't know). But, if you dont know the password, you can try to use a
bruteforce. They are very easy to find and very, very, very easy to use.
Sometimes they work very well.. hehehe.
Again: Anyone in anywhere can try to create a new list. It's correct??!!
Thanks Barry!!!
P.S.: Try those same steps in othes Mailing Lists Sites. Always work!
On Mon, Jan 5, 2009 at 11:53 AM, Barry Warsaw <barry at list.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jan 5, 2009, at 8:04 AM, Edilson Azevedo wrote:
>
> Hi Developers! I've a question:
>>
>> Why in all lists sites that I look, the "Admin Links" is open? Worst: Why
>> (inside the Admin Links) the link "create a new mailing list" is open?
>> Anyone in anywhere can to try until discover the Admin password??
>>
>> My doubt is: Why those links are open to world? I think that it's very
>> insecure, or not?!?
>>
>
> Really? Those links should always be behind a login screen.
>
> - -Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkliEN8ACgkQ2YZpQepbvXEk3gCfZEX4GJ5blkATZDZHxlbMnQlw
> p+gAnjSD4Gmrh+By/YGYl3QgBwiSRa1K
> =fJV0
> -----END PGP SIGNATURE-----
>
--
Atenciosamente,
Edilson Azevedo
(19) 3787-3312
(12) 8156-5590
Mail / Gtalk: eazevedo at bsd.com.br
More information about the Mailman-Developers
mailing list