Barry Finkel wrote: > >I was able to block access to the > > mailman/create > >page on my Mailman test virtual machine, but the same code did not >work on the production Mailman machine. I have asked my Apache expert >to look at why. > >On the test machine I was successful, but a Nessus scan on that >machine still reports > > Web Application Potentially Sensitive CGI Parameter Detection > >What other Mailman web page(s) would cause this? Thanks.
If I correctly understand George Theall's explanation, any page that post's CGI fields with names that look like they might be passwords. This includes any of the admindb, admin, private and options login pages. I don't know enough about how Nessus works to know if it can scan pages that can only be reached after login, but if so, probably also the admin Passwords page and the options page itself. Again, If I correctly understand what Nessus is doing, there would seem to be only two ways to do this avoid these reports. Disable all web access to Mailman or allow only https access to Mailman. For the latter, see the FAQ at <http://wiki.list.org/x/7oA9>. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9