On Fri, Sep 04, 2009 at 09:02:58AM -0500, Barry Finkel wrote: > Our cyber security group sent me notice of a vulnerability in > a Mailman web page: > > Web Application Potentially Sensitive CGI Parameter Detection
This almost certainly is from a Nessus scan - see: http://www.nessus.org/plugins/index.php?view=single&id=40773 This particular "plugin" isn't reporting a vulnerability per se (ie, its risk factor is "None"). Instead, it notes that the name of one or more parameters suggests it might be sensitive in some fashion. > I think it is the URL: > > mailman/create Probably. That form has a parameter named 'password' ("Initial list password"), which could be sniffed if the target web server doesn't use HTTPS. > As I do not use that web page to create a new Mailman list, I want to > disable that page. Not a bad idea. Disclaimer: I work for Tenable Network Security as Director of Vulnerability Research, which, among other things, is responsible for writing the plugins for Nessus. George -- the...@tifaware.com ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9