[Mailman-Users] virtual domain list disclosure and list email linkissue
Mark Sapiro
mark at msapiro.net
Fri Apr 16 17:19:36 CEST 2010
Dennison Williams wrote:
>
>The first is that even though I have "VIRTUAL_HOST_OVERVIEW = Yes" in
>my Mailman/mm_cfg.py file I am still able to disclose other lists on
>other domains through the url:
>http://<virtual_domain>/mailman/listinfo/<list_name_not_in_virtual_domain>.
>There must be a another way around this, if not it should be considered
>a minor security flaw. Can anyone point me in the right direction for
>preventing this?
VIRTUAL_HOST_OVERVIEW controls what it's name implies, i.e. what lists
appear on the listinfo and admin overview page. It is true, that by
trying URLs such as you give above, that one could confirm the
existence of a list in another domain and find its domain name from
its listinfo page. If this is really a security issue for you, there
are two choices.
1) Modify all the Mailman/Cgi/*.py modules along the lines of the
attached listinfo.patch.txt, or
2) Install a separate Mailman instance for each domain.
>The second issue is that all emails from the list are coming with links
>from the wrong domain. How can I get these links to reflect the domain
>that the lists are for?
Web links or email links? If the web links are wrong, the lists must
also appear on the wrong listinfo overview page. In any case, make
sure every host has a correct
add_virtualhost('hosts.web.domain', 'hosts.email.domain')
in mm_cfg.py. Then run Mailman's
bin/withlist -l -r fix_url listname -u web.host.for.this.list
for every list. This will fix both web and email domains. Or, if the
problem is only email domains, you can go to the web admin General
Options page for every list and set the correct host_name attribute
near the bottom of the page.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: listinfo.patch.txt
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20100416/e25bb48f/attachment.txt>
More information about the Mailman-Users
mailing list