[Mailman-Users] MM admin interface wide open

[Mark Sapiro]

Mark Sapiro wrote:

>Ulf Hofemeier wrote:
>>
>>PS. if you email me, I can provide you with the URL to my MM installation.
>
>
>If you send it to me, I'll check it out.


After a little off list back and forth, Ulf wrote:

>I had no site admin password set. Setting one with mmsitepass did the  
>trick. Thank you for pointing this out. Maybe it would be worthwhile  
>to add a line of code that checks whether a site admin pass has been  
>set for future versions? I tried to find a solution for my problem on  
>your mailman-user list, but couldn't. I have a hard time believing  
>that I'm the only one who has run into this problem though.
>
>Thank you for looking into it. Great support and I appreciate it :-)


Not having ever set a site password should not cause this problem. If
the password was never set, there would be no data/adm.pw file at all
and authenticating the site password should fail.

I think this issue could only occur if at some point someone actually
set a null site password.

Still, it's worth fixing it so that a null password doesn't work. I
can't see that anyone would actually want passwordless access to the
admin interface except maybe in the case of a server that was not
exposed on the internet al all, but probably not even then.

Does anyone need to have null passwords work in Mailman?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan