[Mailman-Developers] Doubt about security
Mark Sapiro
mark at msapiro.net
Mon Jan 5 17:48:42 CET 2009
Edilson Azevedo wrote:
>
> You said "should". But in 95% of the lists that I look, those links are
>always open.
I think Barry misunderstood which links you are talking about.
The links on the list admin overview page to lists really reveal
nothing but the names of public lists on the server. These are already
available on the listinfo overview page and anyone who knows even a
little bit about Mailman can easily construct admin or admindb links
from the listinfo links. If you are concerned about revealing this,
make all your lists advertised = No.
>An random example: The official MailMan mailing list. Follow my
>steps:
>
>1 - Open this link: http://mail.python.org/mailman/admin
>
>2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure out
the URL to the create CGI.
The answer is to use strong passwords, and if you are really concerned,
don't advertise any lists and remove Mailman's cgi-bin/create wrapper
so lists can't be created from the web, or alternatively just don't
set site admin or list creator passwords or remove data/adm.pw and
data/creator.pw to remove those set previously.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Developers
mailing list