Re: [Mailman-Developers] Doubt about security

On Mon, 5 Jan 2009, Edilson Azevedo wrote:

> Hi Barry and Thank to answer!
>
> You said "should". But in 95% of the lists that I look, those links are
> always open. An random example: The official MailMan mailing list. Follow my
> steps:
>
> 1 - Open this link: http://mail.python.org/mailman/admin
>
> 2 - After, click in "create a new mailing list"
>
> 3 - You can try to create a new list until discover the corret password (if
> you don't know). But, if you dont know the password, you can try to use a
> bruteforce. They are very easy to find and very, very, very easy to use.
> Sometimes they work very well.. hehehe.
>
>
> Again: Anyone in anywhere can try to create a new list. It's correct??!!
>
> Thanks Barry!!!
>
> P.S.: Try those same steps in othes Mailing Lists Sites. Always work!

Allow me to chime in and ask how this would be different if the form were 
behind a login screen?  Or any form at all?  You can "brute force" any 
screen in mailman and afaik there's no timeout or backoff interval.

I see this as a non-issue, personally, but I do think it looks bad, and 
think that screen should in a perfect world only be shown ONLY if there is 
a "list creator" password with no other privileges (but then, if that was 
the behavior, it would leak that fact).

Just my 0.02.

-Dan

_______________________________________________
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-developers/alexiscircle%40gmail.com

Security Policy: http://wiki.list.org/x/QIA9