On Mon, 5 Jan 2009, Edilson Azevedo wrote:
Hi Barry and Thank to answer!
You said "should". But in 95% of the lists that I look, those links are
always open. An random example: The official MailMan mailing list. Follow my
steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
3 - You can try to create a new list until discover the corret password (if
you don't know). But, if you dont know the password, you can try to use a
bruteforce. They are very easy to find and very, very, very easy to use.
Sometimes they work very well.. hehehe.
Again: Anyone in anywhere can try to create a new list. It's correct??!!
Thanks Barry!!!
P.S.: Try those same steps in othes Mailing Lists Sites. Always work!
Allow me to chime in and ask how this would be different if the form were
behind a login screen? Or any form at all? You can "brute force" any
screen in mailman and afaik there's no timeout or backoff interval.
I see this as a non-issue, personally, but I do think it looks bad, and
think that screen should in a perfect world only be shown ONLY if there is
a "list creator" password with no other privileges (but then, if that was
the behavior, it would leak that fact).
Just my 0.02.
-Dan
_______________________________________________
Mailman-Developers mailing list
[email protected]
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
