HighDots Forums  

Re: Mailman Password Completion Vulnerability

Go Back HighDots Forums Mailing lists Python Re: Mailman Password Completion Vulnerability

Python Python programming language mailing list


Discuss Re: Mailman Password Completion Vulnerability in the Python forum.



Reply
 
Thread Tools Display Modes
  #1  
Old   
Mark Sapiro
 
Posts: n/a

Default Re: Mailman Password Completion Vulnerability - 11-05-2009 , 06:09 PM





Barry Finkel wrote:
Quote:
Am I correct in assuming that in order to "fix" this, I would have to
go to directory

/etc/mailman/en

and modify these HTML files that contain the string "password":

admlogin.html contains "<FORM METHOD=POST ACTION="%(path)s">"
listinfo.html contains "<MM-Roster-Form-Start>"
options.html contains "<MM-Form-Start>"

and the place where the two "Form-Start" strings are defined,
In ther long run, is the change worth making? Thanks.

It is more complex than that, but do you want to do it? If I understand
correctly, the consequences will be that at least simple, web browser
password managers will not remember these passwords for their users.

There is a downside to not disabling browser password management in
that a user at a public work station can allow a browser to remember a
password and this is bad, but whether this is something worth
disabling all password management for is something you need to
consider.

If you want to do it, the places where Mailman accepts passwords are:

- the admin and admindb login pages which are built from the
admlogin.html template

- the private archive login page which is built from the private.html
template

- the user options login page which is hard coded in the loginpage()
function in Mailman/Cgi/options.py

- the roster request form on the listinfo page built using the
<MM-Roster-Form-Start> tag on the listinfo.html template.

- the subscribe form on the listinfo page built using the
<MM-Subscribe-Form-Start> tag on the listinfo.html template.

- the password change fields which are part of the entire, multi-button
form on the user options page using the <MM-Form-Start> tag.

You do not edit templates in the various templates/en/, etc.
directories. If you want to make site wide edited templates, you put
them in directories named templates/site/en/, etc. See the FAQ at
<http://wiki.list.org/x/jYA9>.

All the various <MM-*Form-Start> tags are ultimately processed by the
FormatFormStart() method defined in Mailman/HTMLFormatter.py

--
Mark Sapiro <mark (AT) msapiro (DOT) net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

------------------------------------------------------
Mailman-Users mailing list Mailman-Users (AT) python (DOT) org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: http://mail.python.org/mailman/options/mailman-users/python%40highdots.com

Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.


C++ Forums - MySQL Forums - Databases Forums - Hardware Forums - Borland Forums - Java Forums - Dotnet Forums - HighDots Forums - Archive - Top