Bugs item #655079, was opened at 2002-12-17 03:13 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103
Category: security/privacy Group: 2.0.x Status: Closed Resolution: Invalid Priority: 5 Submitted By: Nicolas Weeger (ryo_saeba) Assigned to: Nobody/Anonymous (nobody) Summary: Major security hole..... Initial Comment: Just found a nice security bug: on the main list page, you have 2 fields to enter admin mail & password to view list subscriptions. Well, you can just enter a valid admin password, and it'll work !!! Even if the mail address is blank / invalid !! ---------------------------------------------------------------------- >Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-12-18 08:28 Message: Logged In: YES user_id=12800 The admin may not be a member of the list. The specific rule is that if the admin password is used, the email address is ignored. Yes, this means security is dependent on the secrecy of your admin password, but if that leaks out you're going to have bigger problems than someone viewing your private archives. ---------------------------------------------------------------------- Comment By: Nicolas Weeger (ryo_saeba) Date: 2002-12-18 02:39 Message: Logged In: YES user_id=303511 Well, granted, but only if the mail is left blank ! I mean, if you put an email address, aren't you supposed to enter YOUR password, not an admin's ? Currently, put an admin password & ANY MAIL and it works... ---------------------------------------------------------------------- Comment By: Barry A. Warsaw (bwarsaw) Date: 2002-12-17 17:52 Message: Logged In: YES user_id=12800 Dan's right, the admin can always read the archives and by design doesn't need to enter an email address. ---------------------------------------------------------------------- Comment By: Dan Mick (dmick) Date: 2002-12-17 17:35 Message: Logged In: YES user_id=10725 It's assumed that if you have the admin password, you're allowed to view the archives. Why is this a security hole? Seems perfectly appropriate to me. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=655079&group_id=103 _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers
