At 11:44 05/02/2003, dino wrote:
What additions did you make to your server's httpd.conf to support running mailmanActually he did it this way:Noticed that mydomain/mailman was browsable.
Telneted to port 80 and sent a get request from there...ouch.
In effect like every other request to your server.
Re the telnet thing, there is nothing to sort as regards using a telnet client to connect to a HTTP server.Sorting that now
But, if you are saying you run a telnet server exposed to the internet on you server, you really should consider switching to running SSH and cease and desist the telnet server.
This problem is likely to be due to poor setup of your httpd.conf.
If your httpd server and httpd.conf setup is sound then it should not be possible to access the files storing MM's user passwords via the HTTP server.Dino -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Buttery Sent: 05 February 2003 11:27 To: 'Mailman users Mailing list' Subject: Re: [Mailman-Users] Mailman Security. * dino <[EMAIL PROTECTED]> [2003-02-05 10:32:16 -0000]: > I was just wondering what kind of security mailman offers, as far as > protecting user passwords goes? Pretty much none. It emails them cleartext once a month, for starters. The list signup page explicitly instructs subscribers not to use important passwords (even in bold!). The intent of the password system in Mailman (this is my interpretation, not backed up with any actual information) is to protect against malicious [un]subscriptions of others by casual idiots on the Net, not against determined attackers. > A techy friend of mine has just kindly emailed me a list of all users > and their passwords! Looking at my server logs it would appear that he > snuck in somehow via anonymous ftp.
If you've got a insecure ftp setup on your server then anything is possible and God or the devil will surely punish you.
Then you have an incorrectly installed/configured/patched ftp server problem, not a mailman problem. :) > Would closing the anon. ftp service stop mailman working in anyway, or > dya reckon he got in some place else? I don't see why stopping an ftpd would affect mailman... -- ------------------------------------------------------------------------ John Buttery (Web page temporarily unavailable) ------------------------------------------------------------------------
------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ This message was sent to: archive@jab.org Unsubscribe or change your options at http://mail.python.org/mailman/options/mailman-users/archive%40jab.org