We know that plain text emailed passwords are a bad idea. This will be
fixed in MM 3.

For MM 2.1, as a list member, you can turn off the periodic reminder for
any list of which you are a member. As a list owner, you can turn off
all periodic reminders from your lists. As a site admin, you can turn
off all periodic reminders from the site.

That leaves only the "request an immediate reminder and intercept the
email" attack as a vulnerability. The list subscribe form says:

You may enter a privacy password below. This provides only mild security,
but should prevent others from messing with your subscription.
*Do not use a valuable password* as it will occasionally be emailed back to you in cleartext.

which implies that such a password, even if it is not an autogenerated
one, is less likely to work in other contexts.

** Changed in: mailman
Importance: Medium => High

** Changed in: mailman
Status: New => Triaged

** Changed in: mailman
Milestone: None => mailman-2.2-3.0

privacy hole in password reminder
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

Search Discussions

Discussion Posts


Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 2 | next ›
Discussion Overview
groupmailman-coders @
postedMay 19, '10 at 5:43a
activeMay 19, '10 at 1:18p

2 users in discussion

Mark Sapiro: 1 post Mats Ahlgren: 1 post



site design / logo © 2022 Grokbase