On 12/17/2013 06:46 AM, Jon 1234 wrote: > When I installed Mailman 2.14 I put it in the domain.com/mailman/ directory. > This is because Mailman is accessed via domain.com/mailman/ and I thought the > files had to be there... > > It does work but is this a potential security problem? What would be the best > way to fix this?
Whether or not this is a security issue depends on your web server. There are files that contain potentially sensitive information that are world readable and/or readable by the web server. In particular, private archives may be sensitive, Mailman/mm_cfg.py can contain SUBSCRIBE_FORM_SECRET and possibly other sensitive information and lists/*/config.pck files may be owned by the web server depending on how they were last updated and they contain membership data. However, typically, URLs of the form http://domain.com/mailman/... (http GETs and POSTS of /mailman/...) are processed by the web server via some script alias that invokes a mailman/cgi-bin/ program to process the request. Thus, files in the domain.com/mailman/ directory should not be directly retrievable by an http GET, but if they are, it's an issue. Thus the normal recommendation is to install Mailman in a directory outside the web server's normal accessible structure. If you want to fix it, stop Mailman, rerun configure and make install, move the lists/ and archives/ directories to the new location. Update the Mailman stuff in your web server and maybe MTA (or maybe run bin/genaliases) and start Mailman. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
