I wrote on Sep 4: >>>Our cyber security group sent me notice of a vulnerability in >>>a Mailman web page: >>> >>> Web Application Potentially Sensitive CGI Parameter Detection >>> >>>I think it is the URL: >>> >>> mailman/create
and Mark Sapiro replied: >>If there really is a Mailman security issue, please post the details to >>mailman-secur...@python.org. and "George A. Theall" <the...@tifaware.com> replied: >This almost certainly is from a Nessus scan - see: > > http://www.nessus.org/plugins/index.php?view=single&id=40773 > >This particular "plugin" isn't reporting a vulnerability per se (ie, its >risk factor is "None"). Instead, it notes that the name of one or more >parameters suggests it might be sensitive in some fashion. >Disclaimer: I work for Tenable Network Security as Director of >Vulnerability Research, which, among other things, is responsible for >writing the plugins for Nessus. I was able to block access to the mailman/create page on my Mailman test virtual machine, but the same code did not work on the production Mailman machine. I have asked my Apache expert to look at why. On the test machine I was successful, but a Nessus scan on that machine still reports Web Application Potentially Sensitive CGI Parameter Detection What other Mailman web page(s) would cause this? Thanks. ---------------------------------------------------------------------- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
