[Mailman-Users] Disabling mailman/create Web Page
Barry Finkel
b19141 at anl.gov
Tue Sep 29 18:05:52 CEST 2009
I wrote on Sep 4:
>>>Our cyber security group sent me notice of a vulnerability in
>>>a Mailman web page:
>>>
>>> Web Application Potentially Sensitive CGI Parameter Detection
>>>
>>>I think it is the URL:
>>>
>>> mailman/create
and Mark Sapiro replied:
>>If there really is a Mailman security issue, please post the details to
>>mailman-security at python.org.
and "George A. Theall" <theall at tifaware.com> replied:
>This almost certainly is from a Nessus scan - see:
>
> http://www.nessus.org/plugins/index.php?view=single&id=40773
>
>This particular "plugin" isn't reporting a vulnerability per se (ie, its
>risk factor is "None"). Instead, it notes that the name of one or more
>parameters suggests it might be sensitive in some fashion.
>Disclaimer: I work for Tenable Network Security as Director of
>Vulnerability Research, which, among other things, is responsible for
>writing the plugins for Nessus.
I was able to block access to the
mailman/create
page on my Mailman test virtual machine, but the same code did not
work on the production Mailman machine. I have asked my Apache expert
to look at why.
On the test machine I was successful, but a Nessus scan on that
machine still reports
Web Application Potentially Sensitive CGI Parameter Detection
What other Mailman web page(s) would cause this? Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the Mailman-Users
mailing list