-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jan 5, 2009, at 1:12 PM, [email protected] wrote:
I suspect the default should be to not expose those things. I
wasn't even
aware that list creation through the web was possible. Based on the
extremely novice questions I see posted to mailman-users on occasion I
suspect many potential Mailman admins are unaware of this as well.
I fear
those admins are also the ones most likely to not create strong
passwords.
Note that by default, it's not possible to create mailing lists
through the web even though the link exists. You have to create a
site password or 'list creators' password to enable this feature. A
site admin should know enough to set these passwords to something
strong and difficult to brute force.
Still, the suggestions for disabling this CGI is easy enough, and if
you have shell access to create those passwords, you have shell access
to disable the CGI.
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliWYwACgkQ2YZpQepbvXFM9wCaAifGNrsBzdL0Mf5RDmrf6jAj
BekAn0LvBA684d7AsE86eiEHjdyghLZX
=D1FM
-----END PGP SIGNATURE-----
_______________________________________________
Mailman-Developers mailing list
[email protected]
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
