RE: [Mailman-Users] Mailman Security.

Wed, 05 Feb 2003 07:48:43 -0800 

At 11:44 05/02/2003, dino wrote:

Actually he did it this way:

Noticed that mydomain/mailman was browsable.
What additions did you make to your server's httpd.conf to support running mailman

Telneted to port 80 and sent a get request from there...ouch.

In effect like every other request to your server.


Sorting that now
Re the telnet thing, there is nothing to sort as regards using a telnet client to connect to a HTTP server.

But, if you are saying you run a telnet server exposed to the internet on you server, you really should consider switching to running SSH and cease and desist the telnet server.

This problem is likely to be due to poor setup of your httpd.conf.

Dino

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
John Buttery
Sent: 05 February 2003 11:27
To: 'Mailman users Mailing list'
Subject: Re: [Mailman-Users] Mailman Security.


* dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -0000]:
> I was just wondering what kind of security mailman offers, as far as
> protecting user passwords goes?

  Pretty much none.  It emails them cleartext once a month, for
starters.  The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!).  The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.
> A techy friend of mine has just kindly emailed me a list of all users
> and their passwords! Looking at my server logs it would appear that he

> snuck in somehow via anonymous ftp.
If your httpd server and httpd.conf setup is sound then it should not be possible to access the files storing MM's user passwords via the HTTP server.

If you've got a insecure ftp setup on your server then anything is possible and God or the devil will surely punish you.

  Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem.  :)

> Would closing the anon. ftp service stop mailman working in anyway, or

> dya reckon he got in some place else?

  I don't see why stopping an ftpd would affect mailman...

--
------------------------------------------------------------------------
 John Buttery
                                     (Web page temporarily unavailable)
------------------------------------------------------------------------


------------------------------------------------------
Mailman-Users mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/

This message was sent to: archive@jab.org
Unsubscribe or change your options at
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to