Barry Warsaw wrote: > >On Jan 5, 2009, at 1:12 PM, [email protected] wrote: > >> I suspect the default should be to not expose those things. I >> wasn't even >> aware that list creation through the web was possible. Based on the >> extremely novice questions I see posted to mailman-users on occasion I >> suspect many potential Mailman admins are unaware of this as well. >> I fear >> those admins are also the ones most likely to not create strong >> passwords. > >Note that by default, it's not possible to create mailing lists >through the web even though the link exists. You have to create a >site password or 'list creators' password to enable this feature. A >site admin should know enough to set these passwords to something >strong and difficult to brute force. > >Still, the suggestions for disabling this CGI is easy enough, and if >you have shell access to create those passwords, you have shell access >to disable the CGI.
As Barry points out, the door is neither open nor easily opened by default. Also, in a default installation, alias generation is manual, and creating a list from the web is not sufficient to make it work. Further, I think this whole list create issue is a red herring. If I were a black-hat looking to create a list on your server to use for my own nefarious purposes, I think I'd use my dictionary attack to try to access the admin interface of an existing list where the password is more likely to be weak. Once I have the admin password for an existing list, I can do anything with that list that I might have done with a new list, and incidentally do more damage to the installation (or at least that one list) in the process. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
