I hate to reply to my own postings, but, there is a fifth <non-alchoholic
of course> I forgot to mention. Many of the CGI scripts one will find
posted for free use on the net are open vulnerabilities, and many of those
authors no longer maintain them. For that reason, people are far better
off to learn a scripting language and the intricities of using it in a
secure fashion rather then relying upon what they might find, poorly if at
all maintained, on the free CGI sites.
Thanks,
Ron DuFresne
On Sun, 6 Jan 2002, R. DuFresne wrote:
> On Sun, 6 Jan 2002, Julian C. Dunn wrote:
>
> > On Sun, 6 Jan 2002, R. DuFresne wrote:
> >
> > > I'd remove the mailman CGI scripts, they have some security issues that
> > > have been covered on the Bugtraq list.
> >
> > I really don't think that this is a very helpful comment because it's a
> > non-sequitur; first off it doesn't solve David's problem, and second of
> > all, you should provide some context for that statement. MailMan < 2.0.8
> > suffers from cross-site-scripting security problems which have been fixed
> > in the latest release, if those are the security issues you are referring
> > to. Even so, what if David is running MailMan on an intranet where the CSS
> > bugs won't be exploited? Then these security issues are not relevant to
> > him.
>
> First, I didn't think folks on this list required spoonfeeding. I take it
> that folks capble of untarring and going through the farily complex
> instructions for installing 3 or more seperate packages are qualified to
> do some research on their own, which persons concerned with the security
> of the site<s> they maintain certainly should do, yes? Second, I am not
> aware, and you certainly are not aware of which version of mailman the
> requestor has on his system. Third, in a private response to the
> requester, which I'll not post as it was indeed a private exchange and
> the posting of private exchanges is in bad form, right?, there was a bit
> more information included, to help guide them in their own search for the
> issues breifly related in my first public posting. Forth, you were and
> are certainly allowed to supply more information and spoonfeeding to
> requestors, should you feel it nessecary, as you did, for the edification
> of the full list or privately, if spoonfeeding is your forte.
>
> Thanks,
>
>
> Ron DuFresne
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
