Actually he did it this way: Noticed that mydomain/mailman was browsable.
Telneted to port 80 and sent a get request from there...ouch. Sorting that now Dino -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Buttery Sent: 05 February 2003 11:27 To: 'Mailman users Mailing list' Subject: Re: [Mailman-Users] Mailman Security. * dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -0000]: > I was just wondering what kind of security mailman offers, as far as > protecting user passwords goes? Pretty much none. It emails them cleartext once a month, for starters. The list signup page explicitly instructs subscribers not to use important passwords (even in bold!). The intent of the password system in Mailman (this is my interpretation, not backed up with any actual information) is to protect against malicious [un]subscriptions of others by casual idiots on the Net, not against determined attackers. > A techy friend of mine has just kindly emailed me a list of all users > and their passwords! Looking at my server logs it would appear that he > snuck in somehow via anonymous ftp. Then you have an incorrectly installed/configured/patched ftp server problem, not a mailman problem. :) > Would closing the anon. ftp service stop mailman working in anyway, or > dya reckon he got in some place else? I don't see why stopping an ftpd would affect mailman... -- ------------------------------------------------------------------------ John Buttery (Web page temporarily unavailable) ------------------------------------------------------------------------ ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ This message was sent to: [EMAIL PROTECTED] Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/dinouk%40orange.net ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ This message was sent to: archive@jab.org Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
