Feature Requests item #1441723, was opened at 2006-03-02 05:48
Message generated for change (Comment added) made by msapiro
You can respond by visiting:

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: dmvianna (dmvianna)
Assigned to: Nobody/Anonymous (nobody)
Summary: privacy hole in password reminder

Initial Comment:
Mailman sends me password reminders in plain text. I
can disable this feature, but other users can manually
make it send a reminder just as if I had forgot the
password, with no other question being asked. If smart
enough to intercept that message, the attacker could:

1) Get my password;
2) get my IP in the mail header.

Possible solutions:

1) Some sites and programs use a "secret question"
which right answer would give the user the chance to
get a password reminder.

2) The password could be prompted in a secure html
page. I find this safer, as compared to plain text mails.

Comment By: Mark Sapiro (msapiro)
Date: 2006-05-26 18:48

Logged In: YES

I'm not sure what IP you think would be in the email header
that isn't already publicly available via a DNS query of
your email domain, or why you think even that IP would be in
the header of an intercepted mail.

Also, when you say "If smart enough to intercept that
message", are you aware of an attack tht would enable this,
or are you just concerned that it could happen.

Finally, password reminders will go away in Mailman 2.2.
We'll try to keep your concern in mind as we work on their


You can respond by visiting:

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-coders @
postedMay 27, '06 at 1:48a
activeMay 27, '06 at 1:48a

1 user in discussion

SourceForge.net: 1 post



site design / logo © 2022 Grokbase