[Mailman-Users] Bug found in Mailman 2.1Beta

[Nigel Metheringham]

On Thu, 2002-05-02 at 12:31, Danny Terweij wrote:
> When you go to : http://yourdomain.com/mailman.listinfo/[listname]
> You as normal member, knows a member email adres from that list and write
> that email adres at the input field :
> 
> To unsubscribe from [listname], get a password reminder, or change your
> subscription options enter your subscription email address:
> 
>  [  a.member at domain.com   ]        {unsubscribe or edit options}
> 
> If you leave the field blank, you will be prompted for your email address
> 
> You can just edit a other member's options and can even change the password.

You *can* see any member's options this way, but you cannot save them or
change the password unless you know that member's password.

Just tested that through on the mailman-developers list which is running
a current development version.

I guess if it was particularly felt that this was a problem (ie security
and information leakage) then this could be changed so whatever email
address was put in led you to a page with 2 choices:-

  1. Enter password
     If member address valid and password was correct takes you to the
     other options.   Otherwise loops back to the same page again.

  2. Send password to me
     If member address valid sends the related password by mail.
     Otherwise does nothing.
     In both cases takes you to a page stating that the password
     will have been sent if the member mail address was valid.

Personally I don't get too excited about this - I am more concerned with
locking down the membership roster which we need to ensure defaults as
completely unavailable.  [Especially as I have been hit with some Data
Protection legislation related stuff in the last couple of weeks]

	Nigel.
-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]