Re: [Mailman-Users] Mailman Password Completion Vulnerability

[Mark Sapiro]

Barry Finkel wrote:
>
>Am I correct in assuming that in order to "fix" this, I would have to
>go to directory
>
> /etc/mailman/en
>
>and modify these HTML files that contain the string "password":
>
> admlogin.htmlcontains ""
> listinfo.htmlcontains ""
> options.html contains ""
>
>and the place where the two "Form-Start" strings are defined,
>In ther long run, is the change worth making?  Thanks.


It is more complex than that, but do you want to do it? If I understand
correctly, the consequences will be that at least simple, web browser
password managers will not remember these passwords for their users.

There is a downside to not disabling browser password management in
that a user at a public work station can allow a browser to remember a
password and this is bad, but whether this is something worth
disabling all password management for is something you need to
consider.

If you want to do it, the places where Mailman accepts passwords are:

- the admin and admindb login pages which are built from the
admlogin.html template

- the private archive login page which is built from the private.html
template

- the user options login page which is hard coded in the loginpage()
function in Mailman/Cgi/options.py

- the roster request form on the listinfo page built using the
 tag on the listinfo.html template.

- the subscribe form on the listinfo page built using the
 tag on the listinfo.html template.

- the password change fields which are part of the entire, multi-button
form on the user options page using the  tag.

You do not edit templates in the various templates/en/, etc.
directories. If you want to make site wide edited templates, you put
them in directories named templates/site/en/, etc. See the FAQ at
.

All the various  tags are ultimately processed by the
FormatFormStart() method defined in Mailman/HTMLFormatter.py

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman-Users Digest, Vol 69, Issue 6

[Jan Steinman]

(WARNING: top posting seems appropriate here...)

But Stucki, Microsoft knows what's good for you!

On 4 Nov 09, at 03:00, mailman-users-requ...@python.org wrote:


From: "Chr. von Stuckrad" 
Date: 3 November 2009 04:03:23 PST (CA)
To: mailman-users@python.org
Subject: Re: [Mailman-Users] regexp help (OT: Edit and Mail)


On Mon, 02 Nov 2009, Savoy, Jim wrote:


Depending on the options set in vi, it can do horrible things to

indentation when you paste things in :(


:-) seen that!  Therefore modern vims have :set paste
and as long as you not 'set nopaste' *no* munging of pastes will be
done! I'm needing/using that all the time, I might even put it
into my '.vimrc' and make it default ...


I just looked at your original posting (using Outlook) and line 3 is
not indented, but rather continuous from line 2, and the other  
indents
are in columns 5 and 9 (not 4 and 8). I shall try viewing it with  
other

mail clients, just for kicks.


'outlook' is a  for programmers.
By Default it *reformats* everything to 'Paragraphs' of the form:
- everything NOT split by an empty line is 'supposed to be a useless
linebreak for mailtransfer', then it collects all those lines and
reformats the resulting words with single whitespaces to window-size.
- an empty line means 'paragraph end', so itself may vanish anyway
only the linebreak in a paragraph stays.

It's like Microsoft(office)Word's view of Text and you are supposed
to write html or rtf anyway :-)

If hints(warnings, whatever) are on, you'll see a line above your
munged mail, saying it removed useless newlines, and by clicking
it you can get them back.

Stucki




 Modern agriculture is the use of land to convert petroleum into  
food. Without petroleum we will not be able to feed the global  
population. -- Robert L. Hickerson 

 Jan Steinman  


--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Mailman Password Completion Vulnerability

[Barry Finkel]

My Mailman 2.1.12 server was flagged with a low-risk vulnerability:

 42057 Web Server Allows Password Auto-Completion

and I cannot tell from the description what URLs have this
vulnerability, nor do I know how to correct it.  I know little
about apache.  One Google search at this URL

https://developer.mozilla.org/en/How_to_Turn_Off_Form_Autocompletion

shows:


For example, a typical form element line with autocompletion turned off
might look like the following: 

 http://www.example.com/form.cgi";>
 [...]
 

This form attribute is not part of any web standards but was first
introduced in Microsoft's Internet Explorer 5. Netscape introduced it
in version 6.2 -- in prior versions, this attribute is ignored. The
autocomplete attribute was added at the insistance of banks and card
issuers -- but never followed through on to reach standards
certification.


Am I correct in assuming that in order to "fix" this, I would have to
go to directory

 /etc/mailman/en

and modify these HTML files that contain the string "password":

 admlogin.htmlcontains ""
 listinfo.htmlcontains ""
 options.html contains ""

and the place where the two "Form-Start" strings are defined,
In ther long run, is the change worth making?  Thanks.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org