|
»
»
Mailman Password Completion Vulnerability
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Mailman Password Completion Vulnerability
by Barry Finkel-3
::
Rate this Message:
My Mailman 2.1.12 server was flagged with a low-risk vulnerability:
42057 Web Server Allows Password Auto-Completion and I cannot tell from the description what URLs have this vulnerability, nor do I know how to correct it. I know little about apache. One Google search at this URL https://developer.mozilla.org/en/How_to_Turn_Off_Form_Autocompletion shows: -------- For example, a typical form element line with autocompletion turned off might look like the following: <form name="form1" id="form1" method="post" autocomplete="off" action="http://www.example.com/form.cgi"> [...] </form> This form attribute is not part of any web standards but was first introduced in Microsoft's Internet Explorer 5. Netscape introduced it in version 6.2 -- in prior versions, this attribute is ignored. The autocomplete attribute was added at the insistance of banks and card issuers -- but never followed through on to reach standards certification. -------- Am I correct in assuming that in order to "fix" this, I would have to go to directory /etc/mailman/en and modify these HTML files that contain the string "password": admlogin.html contains "<FORM METHOD=POST ACTION="%(path)s">" listinfo.html contains "<MM-Roster-Form-Start>" options.html contains "<MM-Form-Start>" and the place where the two "Form-Start" strings are defined, In ther long run, is the change worth making? Thanks. ---------------------------------------------------------------------- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: BSFinkel@... Argonne, IL 60439-4828 IBMMAIL: I1004994 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@... http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/lists%40nabble.com |
|
|
Re: Mailman Password Completion Vulnerability
by Mark Sapiro-3
::
Rate this Message:
Barry Finkel wrote:
> >Am I correct in assuming that in order to "fix" this, I would have to >go to directory > > /etc/mailman/en > >and modify these HTML files that contain the string "password": > > admlogin.html contains "<FORM METHOD=POST ACTION="%(path)s">" > listinfo.html contains "<MM-Roster-Form-Start>" > options.html contains "<MM-Form-Start>" > >and the place where the two "Form-Start" strings are defined, >In ther long run, is the change worth making? Thanks. It is more complex than that, but do you want to do it? If I understand correctly, the consequences will be that at least simple, web browser password managers will not remember these passwords for their users. There is a downside to not disabling browser password management in that a user at a public work station can allow a browser to remember a password and this is bad, but whether this is something worth disabling all password management for is something you need to consider. If you want to do it, the places where Mailman accepts passwords are: - the admin and admindb login pages which are built from the admlogin.html template - the private archive login page which is built from the private.html template - the user options login page which is hard coded in the loginpage() function in Mailman/Cgi/options.py - the roster request form on the listinfo page built using the <MM-Roster-Form-Start> tag on the listinfo.html template. - the subscribe form on the listinfo page built using the <MM-Subscribe-Form-Start> tag on the listinfo.html template. - the password change fields which are part of the entire, multi-button form on the user options page using the <MM-Form-Start> tag. You do not edit templates in the various templates/en/, etc. directories. If you want to make site wide edited templates, you put them in directories named templates/site/en/, etc. See the FAQ at <http://wiki.list.org/x/jYA9>. All the various <MM-*Form-Start> tags are ultimately processed by the FormatFormStart() method defined in Mailman/HTMLFormatter.py -- Mark Sapiro <mark@...> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@... http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/lists%40nabble.com |
|
|
Re: Mailman Password Completion Vulnerability
by LuKreme
::
Rate this Message:
On 5-Nov-2009, at 14:35, Barry Finkel wrote:
> Am I correct in assuming that in order to "fix" this, I would have to > go to directory When you 'fix' this you piss people off. Severely. -- I've got Mathematica 2.2 on my Quadra ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@... http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/lists%40nabble.com |
| Free embeddable forum powered by Nabble | Forum Help |
