Bugs item #897918, was opened at 2004-02-16 11:28
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?funcÞtail&atid0103&aid‰7918&group_id3

Category: security/privacy
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Heiko Scheit (scheit)
Assigned to: Nobody/Anonymous (nobody)
Summary: admin password is checked when it should not

Initial Comment:
admin password is checked when it should
-----------------------------------------

To see the problem you have to be the administrator of a
list. Go to the members options login page

.../mailman/options/<listname>

and enter something like a valid email address, e.g.:

xxx@xxx.xxx

and as password enter the ADMIN password! You will get
something like:

Bug in Mailman version 2.1.4

We're sorry, we hit a bug!

The problem seems to be that the password entered in the
members options login page is also checked against the
admin password, which should not be done. It should only
be checked if the admin-cookie is set, so that the admin
(who logged on via the admin page) can also modify user
settings.

What is worse: if you enter a valid email address (of a
list member) and the admin password you are the admin.
So, any list member that happens to choose the same
password as the admin has full access to the
administrative interface.

Somehow I think it would be better to also have an admin
username and not just an admin password. Or, for each
member an admin flag can be set. The admin has to be a
member and can login with email and password as anybody
else.


----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?funcÞtail&atid0103&aid‰7918&group_id3

Search Discussions

  • SourceForge.net at Feb 17, 2004 at 5:17 pm
    Bugs item #897918, was opened at 2004-02-16 05:28
    Message generated for change (Comment added) made by bwarsaw
    You can respond by visiting:
    https://sourceforge.net/tracker/?funcÞtail&atid0103&aid‰7918&group_id3

    Category: security/privacy
    Group: 2.1 (stable)
    Status: Closed
    Resolution: Fixed
    Priority: 5
    Submitted By: Heiko Scheit (scheit)
    Assigned to: Nobody/Anonymous (nobody)
    Summary: admin password is checked when it should not

    Initial Comment:
    admin password is checked when it should
    -----------------------------------------

    To see the problem you have to be the administrator of a
    list. Go to the members options login page

    .../mailman/options/<listname>

    and enter something like a valid email address, e.g.:

    xxx@xxx.xxx

    and as password enter the ADMIN password! You will get
    something like:

    Bug in Mailman version 2.1.4

    We're sorry, we hit a bug!

    The problem seems to be that the password entered in the
    members options login page is also checked against the
    admin password, which should not be done. It should only
    be checked if the admin-cookie is set, so that the admin
    (who logged on via the admin page) can also modify user
    settings.

    What is worse: if you enter a valid email address (of a
    list member) and the admin password you are the admin.
    So, any list member that happens to choose the same
    password as the admin has full access to the
    administrative interface.

    Somehow I think it would be better to also have an admin
    username and not just an admin password. Or, for each
    member an admin flag can be set. The admin has to be a
    member and can login with email and password as anybody
    else.


    ----------------------------------------------------------------------
    Comment By: Barry A. Warsaw (bwarsaw)
    Date: 2004-02-17 17:17

    Message:
    Logged In: YES
    user_id800

    This is fixed in cvs.

    ----------------------------------------------------------------------

    You can respond by visiting:
    https://sourceforge.net/tracker/?funcÞtail&atid0103&aid‰7918&group_id3

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-coders @
categoriespython
postedFeb 16, '04 at 5:28a
activeFeb 17, '04 at 5:17p
posts2
users1
websitelist.org

1 user in discussion

SourceForge.net: 2 posts

People

Translate

site design / logo © 2022 Grokbase