Bugs item #655079, was opened at 2002-12-17 03:13 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103
Category: security/privacy Group: 2.0.x >Status: Closed >Resolution: Invalid Priority: 5 Submitted By: Nicolas Weeger (ryo_saeba) Assigned to: Nobody/Anonymous (nobody) Summary: Major security hole..... Initial Comment: Just found a nice security bug: on the main list page, you have 2 fields to enter admin mail & password to view list subscriptions. Well, you can just enter a valid admin password, and it'll work !!! Even if the mail address is blank / invalid !! ---------------------------------------------------------------------- >Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-12-17 17:52 Message: Logged In: YES user_id=12800 Dan's right, the admin can always read the archives and by design doesn't need to enter an email address. ---------------------------------------------------------------------- Comment By: Dan Mick (dmick) Date: 2002-12-17 17:35 Message: Logged In: YES user_id=10725 It's assumed that if you have the admin password, you're allowed to view the archives. Why is this a security hole? Seems perfectly appropriate to me. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103 _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers
