[Mailman-Users] Mailman Password Completion Vulnerability

[Barry Finkel]

My Mailman 2.1.12 server was flagged with a low-risk vulnerability:

 42057 Web Server Allows Password Auto-Completion

and I cannot tell from the description what URLs have this
vulnerability, nor do I know how to correct it.  I know little
about apache.  One Google search at this URL

https://developer.mozilla.org/en/How_to_Turn_Off_Form_Autocompletion

shows:


For example, a typical form element line with autocompletion turned off
might look like the following: 

 form name=form1 id=form1 method=post autocomplete=off
   action=http://www.example.com/form.cgi;
 [...]
 /form

This form attribute is not part of any web standards but was first
introduced in Microsoft's Internet Explorer 5. Netscape introduced it
in version 6.2 -- in prior versions, this attribute is ignored. The
autocomplete attribute was added at the insistance of banks and card
issuers -- but never followed through on to reach standards
certification.


Am I correct in assuming that in order to fix this, I would have to
go to directory

 /etc/mailman/en

and modify these HTML files that contain the string password:

 admlogin.htmlcontains FORM METHOD=POST ACTION=%(path)s
 listinfo.htmlcontains MM-Roster-Form-Start
 options.html contains MM-Form-Start

and the place where the two Form-Start strings are defined,
In ther long run, is the change worth making?  Thanks.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Mailman Password Completion Vulnerability

[Mark Sapiro]

Barry Finkel wrote:

Am I correct in assuming that in order to fix this, I would have to
go to directory

 /etc/mailman/en

and modify these HTML files that contain the string password:

 admlogin.htmlcontains FORM METHOD=POST ACTION=%(path)s
 listinfo.htmlcontains MM-Roster-Form-Start
 options.html contains MM-Form-Start

and the place where the two Form-Start strings are defined,
In ther long run, is the change worth making?  Thanks.


It is more complex than that, but do you want to do it? If I understand
correctly, the consequences will be that at least simple, web browser
password managers will not remember these passwords for their users.

There is a downside to not disabling browser password management in
that a user at a public work station can allow a browser to remember a
password and this is bad, but whether this is something worth
disabling all password management for is something you need to
consider.

If you want to do it, the places where Mailman accepts passwords are:

- the admin and admindb login pages which are built from the
admlogin.html template

- the private archive login page which is built from the private.html
template

- the user options login page which is hard coded in the loginpage()
function in Mailman/Cgi/options.py

- the roster request form on the listinfo page built using the
MM-Roster-Form-Start tag on the listinfo.html template.

- the subscribe form on the listinfo page built using the
MM-Subscribe-Form-Start tag on the listinfo.html template.

- the password change fields which are part of the entire, multi-button
form on the user options page using the MM-Form-Start tag.

You do not edit templates in the various templates/en/, etc.
directories. If you want to make site wide edited templates, you put
them in directories named templates/site/en/, etc. See the FAQ at
http://wiki.list.org/x/jYA9.

All the various MM-*Form-Start tags are ultimately processed by the
FormatFormStart() method defined in Mailman/HTMLFormatter.py

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org