[Mailman-Users] Mailman Password Completion Vulnerability

Thu, 05 Nov 2009 13:37:15 -0800 

My Mailman 2.1.12 server was flagged with a low-risk vulnerability:

     42057 Web Server Allows Password Auto-Completion

and I cannot tell from the description what URLs have this
vulnerability, nor do I know how to correct it.  I know little
about apache.  One Google search at this URL

    https://developer.mozilla.org/en/How_to_Turn_Off_Form_Autocompletion

shows:

--------
For example, a typical form element line with autocompletion turned off
might look like the following: 

     <form name="form1" id="form1" method="post" autocomplete="off"
       action="http://www.example.com/form.cgi";>
     [...]
     </form>

This form attribute is not part of any web standards but was first
introduced in Microsoft's Internet Explorer 5. Netscape introduced it
in version 6.2 -- in prior versions, this attribute is ignored. The
autocomplete attribute was added at the insistance of banks and card
issuers -- but never followed through on to reach standards
certification.
--------

Am I correct in assuming that in order to "fix" this, I would have to
go to directory

     /etc/mailman/en

and modify these HTML files that contain the string "password":

     admlogin.html    contains "<FORM METHOD=POST ACTION="%(path)s">"
     listinfo.html    contains "<MM-Roster-Form-Start>"
     options.html     contains "<MM-Form-Start>"

and the place where the two "Form-Start" strings are defined,
In ther long run, is the change worth making?  Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8             Internet: bsfin...@anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to