[ mailman-Feature Requests-1441723 ] privacy hole in password reminder
SourceForge.net
noreply at sourceforge.net
Thu Mar 2 14:48:07 CET 2006
Feature Requests item #1441723, was opened at 2006-03-03 00:48
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=1441723&group_id=103
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: dmvianna (dmvianna)
Assigned to: Nobody/Anonymous (nobody)
Summary: privacy hole in password reminder
Initial Comment:
Mailman sends me password reminders in plain text. I
can disable this feature, but other users can manually
make it send a reminder just as if I had forgot the
password, with no other question being asked. If smart
enough to intercept that message, the attacker could:
1) Get my password;
2) get my IP in the mail header.
Possible solutions:
1) Some sites and programs use a "secret question"
which right answer would give the user the chance to
get a password reminder.
2) The password could be prompted in a secure html
page. I find this safer, as compared to plain text mails.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350103&aid=1441723&group_id=103
More information about the Mailman-coders
mailing list