Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security flaw in Full Disclosure mailing list

From: Fyodor <fyodor () nmap org>
Date: Wed, 2 Apr 2014 11:38:12 -0700
On Wed, Apr 2, 2014 at 6:43 AM, Nick Lindridge <nick () ioncube com> wrote:



Apologies if this has been pointed out before, hard to imagine that it
hasn't really. When signing up for the list, I was surprised that it
emailed back my password in plain text.



Hi Nick.  Yeah, Mailman does that sort of thing.  But to their credit, on
the list description/signup page at (
http://nmap.org/mailman/listinfo/fulldisclosure), the text above the
password box says:

"You may enter a privacy password below. This provides only mild security,
but should prevent others from messing with your subscription. Do not use a
valuable password as it will occasionally be emailed back to you in
cleartext."

They should probably just call it a confirmation token or something instead
of password, as the point is just to prove you're the one getting email at
the given address so you can edit your list subscription preferences.  I
never enter a token and let Mailman choose one for me.

Cheers,
Fyodor

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: