[Mailman-Users] MM admin interface wide open

[Ulf Hofemeier]

Folks,

It turns out the issue was that my mailman site admin password was  
null, meaning I had no site admin password set. Using bin/mmsitepass  
did solve the problem for me. Now, logout works and opening mailman/ 
admin/mylist does require a password to login.

@Mark, thank you for pointing this out for me!
Ulf
--
Ulf Hofemeier
Programmer / Analyst II
Latin American and Iberian Institute
ulf at ladb.unm.edu





On Aug 26, 2009, at 5:15 PM, Mark Sapiro wrote:

> Ulf Hofemeier wrote:
>>
>> I'm using MM 2.1.12 and am running into a problem that is rather  
>> nasty.
>> In my case the MM admin interface is wide open, which means that I  
>> don't
>> need a site admin pwd to access http://mydomain/mailman/admin/ 
>> mylist. I
>> can click on logout and it will take me to the logout page, but  
>> simply
>> removing /logout from the URL will load the admin interface again.
>> Deleting the cookie doesn't help, closing the browser doesn't help.  
>> Oh,
>> yeah. The admin interface is accessible via Google as well.
>
>
> Do you allow site admin cookies and do you have one?
>
> Logout will remove the list admin cookie, but if you allow site admin
> cookies and you have logged in with the site password, logout won't
> remove that cookie.
>
> This doesn't sound like that's the issue in your case however, and it
> certainly isn't normal. Is this MM 2.1.12 installed from source or
> from a vendor package? If a package, which one? Any patches?
>
> Note that it is normal for the admin login page for a public list to  
> be
> indexed in google, but google's crawlers and people coming from google
> shouldn't be able to get past the login page without the password.
>
>
>> PS. if you email me, I can provide you with the URL to my MM  
>> installation.
>
>
> If you send it to me, I'll check it out.
>
> -- 
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>