Re: [Mailman-Developers] Doubt about security

Mon, 05 Jan 2009 06:12:59 -0800 

Hi Barry and Thank to answer!

 You said "should". But in 95% of the lists that I look, those links are
always open. An random example: The official MailMan mailing list. Follow my
steps:

1 - Open this link: http://mail.python.org/mailman/admin

2 - After, click in "create a new mailing list"

3 - You can try to create a new list until discover the corret password (if
you don't know). But, if you dont know the password, you can try to use a
bruteforce. They are very easy to find and very, very, very easy to use.
Sometimes they work very well.. hehehe.


Again: Anyone in anywhere can try to create a new list. It's correct??!!

Thanks Barry!!!

P.S.: Try those same steps in othes Mailing Lists Sites. Always work!


On Mon, Jan 5, 2009 at 11:53 AM, Barry Warsaw <ba...@list.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jan 5, 2009, at 8:04 AM, Edilson Azevedo wrote:
>
>  Hi Developers! I've a question:
>>
>> Why in all lists sites that I look, the "Admin Links" is open? Worst: Why
>> (inside the Admin Links) the link "create a new mailing list" is open?
>> Anyone in anywhere can to try until discover the Admin password??
>>
>> My doubt is: Why those links are open to world? I think that it's very
>> insecure, or not?!?
>>
>
> Really?  Those links should always be behind a login screen.
>
> - -Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkliEN8ACgkQ2YZpQepbvXEk3gCfZEX4GJ5blkATZDZHxlbMnQlw
> p+gAnjSD4Gmrh+By/YGYl3QgBwiSRa1K
> =fJV0
> -----END PGP SIGNATURE-----
>



-- 
Atenciosamente,

Edilson Azevedo
(19) 3787-3312
(12) 8156-5590
Mail / Gtalk: eazev...@bsd.com.br
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Reply via email to