[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Mailman-Developers] Doubt about security Dan Mahoney, System Admin Mon Jan 05 08:00:34 2009

On Mon, 5 Jan 2009, Edilson Azevedo wrote:

Hi Barry and Thank to answer!

You said "should". But in 95% of the lists that I look, those links are
always open. An random example: The official MailMan mailing list. Follow my

1 - Open this link: http://mail.python.org/mailman/admin

2 - After, click in "create a new mailing list"

3 - You can try to create a new list until discover the corret password (if
you don't know). But, if you dont know the password, you can try to use a
bruteforce. They are very easy to find and very, very, very easy to use.
Sometimes they work very well.. hehehe.

Again: Anyone in anywhere can try to create a new list. It's correct??!!

Thanks Barry!!!

P.S.: Try those same steps in othes Mailing Lists Sites. Always work!

Allow me to chime in and ask how this would be different if the form were behind a login screen? Or any form at all? You can "brute force" any screen in mailman and afaik there's no timeout or backoff interval.

I see this as a non-issue, personally, but I do think it looks bad, and think that screen should in a perfect world only be shown ONLY if there is a "list creator" password with no other privileges (but then, if that was the behavior, it would leak that fact).

Just my 0.02.


Mailman-Developers mailing list
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 

Security Policy: http://wiki.list.org/x/QIA9