Full Disclosure mailing list archives
Re: Security flaw in Full Disclosure mailing list
From: Ron <ron () skullsecurity net>
Date: Wed, 2 Apr 2014 13:25:14 -0700
That doesn't change the fact that it's storing the passwords in plaintext, though, it just hides the 'your passwords are completely insecure' issue a little bit. Ron On 2014-04-02 16:06, Jim Popovitch wrote:
Mailman always needs some post-install tweaks..... Just apply this (for mm 2.1.x) --- cron/mailpasswds 2012-11-02 03:19:11 +0000 +++ cron/mailpasswds 2013-03-03 21:26:43 +0000 @@ -184,7 +184,7 @@ fmt = '%s\n %-10s\n%s\n' else: fmt = '%-40s %-10s\n%s\n' - table.append(fmt % (listaddr, password, optionsurl)) + table.append(fmt % (listaddr, "********", optionsurl)) # Figure out which language to use langcnt = 0 poplang = None -Jim P. On Wed, Apr 2, 2014 at 3:20 PM, Fyodor <fyodor () nmap org> wrote:On Wed, Apr 2, 2014 at 11:54 AM, Jimmy Crossley <jcrossley () conetrix com>wrote:This "feature" can be disabled in the options after logging in at http://nmap.org/mailman/options/fulldisclosure. Select No to the "Get password reminder email for this list?" item.You don't need to worry about that on this list (or any other list I run) since the monthly password "reminder" feature is fully disabled. But these are great instructions for people to use on any lists which do send the annoying reminders. Mailman on this list does still send the "password" it generates at list subscription time and if you request a password reminder. This is just used for people to edit their individual list preferences. Cheers, Fyodor _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Security flaw in Full Disclosure mailing list Nick Lindridge (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Ron (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Fyodor (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Reindl Harald (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Eric G (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Jimmy Crossley (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Fyodor (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Jim Popovitch (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Ron (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Jim Popovitch (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Jeffrey Walton (Apr 02)
- Re: Security flaw in Full Disclosure mailing list George Chatzisofroniou (Apr 03)
- Re: Security flaw in Full Disclosure mailing list Fyodor (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Michal Zalewski (Apr 02)
- Re: Security flaw in Full Disclosure mailing list Brandon Perry (Apr 02)
- Message not available
- Re: Security flaw in Full Disclosure mailing list Brandon Perry (Apr 02)