[unisog] Recommendation for list management sw

Ronaldo Vasconcellos ronaldo at cais.rnp.br
Thu Nov 4 02:14:01 GMT 2004


Hi folks,

Actually I intended to answer Stan's original post but I've deleted it...

Well, I wouldn't use Mailman - not anymore, I've changed my mind lately. 
Sorry, I don't hate or even love listserv ;-)

We recently issued an advisory (05-28) about a vulnerability in Mailman 
versions prior to 2.1.5. It exposes users passwords, all you have to do 
is to send a message to listname-request at example.com with the following 
commands:

password address=$subscriber_victim
password address=$subscriber_malicious

The "attacker" has to be a subscriber.

That's all. The malicious subscriber gets the victim's password. Nice for 
certain kinds of Social Engineering attacks.


More info:

[Mailman-Users] RELEASED Mailman 2.1.5
http://www.mail-archive.com/mailman-users@python.org/msg24544.html

Nessus Plugins: Mailman password retrieval
http://cgi.nessus.org/plugins/dump.php3?id=12253

CAN-2004-0412 (under review)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0412


You should give a try to EZMLM [1], a mailing list manager based in qmail. 
That's what you'll find inside SecurityFocus lists.

[1] EZMLM
    http://www.ezmlm.org
    http://www.qmail.org/top.html#ezmlm

Best regards,

--
Ronaldo C Vasconcellos
CAIS/RNP - Brazilian Research Network CSIRT
http://www.rnp.br/en/cais

On Wed, 3 Nov 2004, Matt Crawford wrote:

> Date: Wed, 03 Nov 2004 17:33:29 -0600
> From: Matt Crawford <crawdad at fnal.gov>
> Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
> To: UNIversity Security Operations Group <unisog at lists.sans.org>
> Subject: Re: [unisog] Recommendation for list management sw
> 
> 
> On Nov 3, 2004, at 11:53, Stan Horwitz wrote:
> 
> > We currently use L-Soft's Listserv software to manage email lists here. I
> > am not happy with this software, nor is my management. I am wondering what
> > other options people on this list can recommend in place of L-Soft's
> > product.
> 
> I passionately loathe listserv.  The only reason it's still here is that I am
> not in charge of email.
> 
> I like Mailman.
> 
> 
> Did I mention that I hate listserv?



More information about the unisog mailing list