[Mailman-Users] Archive access with only password?
Gary Wang
quartertone at mac.com
Fri Mar 29 15:14:59 CET 2002
Well, it IS rather convinient, but I am more concerned of the potential
(sort-of) security risk. Because access is allowed without username,
some d00d with evil intent would have an easier time brute-forcing the
password..
You know what 'they' say... to catch the bad guys, you have to think
like them..
On Friday, March 29, 2002, at 10:48 PM, Ron Jarrell wrote:
> At 10:41 PM 3/29/02 +0900, Gary Wang wrote:
>> I was hacking around my new Mailman setup, and found out to my great
>> surprise:
>> The "private" archives are accessible without a username. Well, that's
>> only half the story, but it really caught me by surprise. I eventually
>> figured out that the list is accessible by entering just the admin
>> password. Is there a way to change this so that admin also needs to
>> enter username?
>
> 2.1b1 does that, which I find annoying as hell, because now if I need
> to fix something I have to first go lookup a valid user on the list to
> use the admin password on... But it sounds like you'll be happy :-).
>
>
> ------------------------------------------------------
> Mailman-Users mailing list
> Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
>
gary c wang
ICQ: 4343405
More information about the Mailman-Users
mailing list