[unisog] Recommendation for list management sw

Ronaldo Vasconcellos ronaldo at cais.rnp.br
Thu Nov 4 02:14:01 GMT 2004

Hi folks,

Actually I intended to answer Stan's original post but I've deleted it...

Well, I wouldn't use Mailman - not anymore, I've changed my mind lately. 
Sorry, I don't hate or even love listserv ;-)

We recently issued an advisory (05-28) about a vulnerability in Mailman 
versions prior to 2.1.5. It exposes users passwords, all you have to do 
is to send a message to listname-request at example.com with the following 

password address=$subscriber_victim
password address=$subscriber_malicious

The "attacker" has to be a subscriber.

That's all. The malicious subscriber gets the victim's password. Nice for 
certain kinds of Social Engineering attacks.

More info:

[Mailman-Users] RELEASED Mailman 2.1.5

Nessus Plugins: Mailman password retrieval

CAN-2004-0412 (under review)

You should give a try to EZMLM [1], a mailing list manager based in qmail. 
That's what you'll find inside SecurityFocus lists.


Best regards,

Ronaldo C Vasconcellos
CAIS/RNP - Brazilian Research Network CSIRT

On Wed, 3 Nov 2004, Matt Crawford wrote:

> Date: Wed, 03 Nov 2004 17:33:29 -0600
> From: Matt Crawford <crawdad at fnal.gov>
> Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
> To: UNIversity Security Operations Group <unisog at lists.sans.org>
> Subject: Re: [unisog] Recommendation for list management sw
> On Nov 3, 2004, at 11:53, Stan Horwitz wrote:
> > We currently use L-Soft's Listserv software to manage email lists here. I
> > am not happy with this software, nor is my management. I am wondering what
> > other options people on this list can recommend in place of L-Soft's
> > product.
> I passionately loathe listserv.  The only reason it's still here is that I am
> not in charge of email.
> I like Mailman.
> Did I mention that I hate listserv?

More information about the unisog mailing list