[Mailman-Users] Mailman Security.

Richard Barrett R.Barrett at ftel.co.uk
Wed Feb 5 16:35:57 CET 2003 

At 11:44 05/02/2003, dino wrote:
>Actually he did it this way:
>
>Noticed that mydomain/mailman was browsable.

What additions did you make to your server's httpd.conf to support running 
mailman

>Telneted to port 80 and sent a get request from there...ouch.

In effect like every other request to your server.

>Sorting that now

Re the telnet thing, there is nothing to sort as regards using a telnet 
client to connect to a HTTP server.

But, if you are saying you run a telnet server exposed to the internet on 
you server, you really should consider switching to running SSH and cease 
and desist the telnet server.

This problem is likely to be due to poor setup of your httpd.conf.

>Dino
>
>-----Original Message-----
>From: mailman-users-bounces+dinouk=orange.net at python.org
>[mailto:mailman-users-bounces+dinouk=orange.net at python.org] On Behalf Of
>John Buttery
>Sent: 05 February 2003 11:27
>To: 'Mailman users Mailing list'
>Subject: Re: [Mailman-Users] Mailman Security.
>
>
>* dino <dinouk at orange.net> [2003-02-05 10:32:16 -0000]:
> > I was just wondering what kind of security mailman offers, as far as
> > protecting user passwords goes?
>
>   Pretty much none.  It emails them cleartext once a month, for
>starters.  The list signup page explicitly instructs subscribers not to
>use important passwords (even in bold!).  The intent of the password
>system in Mailman (this is my interpretation, not backed up with any
>actual information) is to protect against malicious [un]subscriptions of
>others by casual idiots on the Net, not against determined attackers.
> > A techy friend of mine has just kindly emailed me a list of all users
> > and their passwords! Looking at my server logs it would appear that he
>
> > snuck in somehow via anonymous ftp.

If your httpd server and httpd.conf setup is sound then it should not be 
possible to access the files storing MM's user passwords via the HTTP server.

If you've got a insecure ftp setup on your server then anything is possible 
and God or the devil will surely punish you.

>   Then you have an incorrectly installed/configured/patched ftp server
>problem, not a mailman problem.  :)
>
> > Would closing the anon. ftp service stop mailman working in anyway, or
>
> > dya reckon he got in some place else?
>
>   I don't see why stopping an ftpd would affect mailman...
>
>--
>------------------------------------------------------------------------
>  John Buttery
>                                      (Web page temporarily unavailable)
>------------------------------------------------------------------------

More information about the Mailman-Users mailing list