[Mailman-Users] MM admin interface wide open

[Ulf Hofemeier]

Mark,

Logout won't remove the cookie if there is one, but I doubt there is.  
ALLOW_SITE_ADMIN_COOKIES is set to NO. I compiled MM 2.1.12 from the  
source.
Ulf
--
Ulf Hofemeier
Programmer / Analyst II
Latin American and Iberian Institute
ulf at ladb.unm.edu





On Aug 26, 2009, at 5:15 PM, Mark Sapiro wrote:

> Ulf Hofemeier wrote:
>>
>> I'm using MM 2.1.12 and am running into a problem that is rather  
>> nasty.
>> In my case the MM admin interface is wide open, which means that I  
>> don't
>> need a site admin pwd to access http://mydomain/mailman/admin/ 
>> mylist. I
>> can click on logout and it will take me to the logout page, but  
>> simply
>> removing /logout from the URL will load the admin interface again.
>> Deleting the cookie doesn't help, closing the browser doesn't help.  
>> Oh,
>> yeah. The admin interface is accessible via Google as well.
>
>
> Do you allow site admin cookies and do you have one?
>
> Logout will remove the list admin cookie, but if you allow site admin
> cookies and you have logged in with the site password, logout won't
> remove that cookie.
>
> This doesn't sound like that's the issue in your case however, and it
> certainly isn't normal. Is this MM 2.1.12 installed from source or
> from a vendor package? If a package, which one? Any patches?
>
> Note that it is normal for the admin login page for a public list to  
> be
> indexed in google, but google's crawlers and people coming from google
> shouldn't be able to get past the login page without the password.
>
>
>> PS. if you email me, I can provide you with the URL to my MM  
>> installation.
>
>
> If you send it to me, I'll check it out.
>
> -- 
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>