-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
I think Barry misunderstood which links you are talking about.
Yep. Thanks, I just re-read the OP (in post-coffee mode :), so now I
get it.
The links on the list admin overview page to lists really reveal
nothing but the names of public lists on the server. These are already
available on the listinfo overview page and anyone who knows even a
little bit about Mailman can easily construct admin or admindb links
from the listinfo links. If you are concerned about revealing this,
make all your lists advertised = No.
An random example: The official MailMan mailing list. Follow my
steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure
out
the URL to the create CGI.
The answer is to use strong passwords, and if you are really
concerned,
don't advertise any lists and remove Mailman's cgi-bin/create wrapper
so lists can't be created from the web, or alternatively just don't
set site admin or list creator passwords or remove data/adm.pw and
data/creator.pw to remove those set previously.
Mark's suggestions are spot on.
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP
5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT
=A81I
-----END PGP SIGNATURE-----
_______________________________________________
Mailman-Developers mailing list
[email protected]
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
