[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Security flaw in Full Disclosure mailing list

To: Nick Lindridge <nick@xxxxxxxxxxx>
Subject: Re: [FD] Security flaw in Full Disclosure mailing list
From: Fyodor <fyodor@xxxxxxxx>
Date: Wed, 2 Apr 2014 11:38:12 -0700

On Wed, Apr 2, 2014 at 6:43 AM, Nick Lindridge <nick@xxxxxxxxxxx> wrote:
>
>
> Apologies if this has been pointed out before, hard to imagine that it
> hasn't really. When signing up for the list, I was surprised that it
> emailed back my password in plain text.
>

Hi Nick.  Yeah, Mailman does that sort of thing.  But to their credit, on
the list description/signup page at (
http://nmap.org/mailman/listinfo/fulldisclosure), the text above the
password box says:

"You may enter a privacy password below. This provides only mild security,
but should prevent others from messing with your subscription. Do not use a
valuable password as it will occasionally be emailed back to you in
cleartext."

They should probably just call it a confirmation token or something instead
of password, as the point is just to prove you're the one getting email at
the given address so you can edit your list subscription preferences.  I
never enter a token and let Mailman choose one for me.

Cheers,
Fyodor

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Security flaw in Full Disclosure mailing list
  - From: Nick Lindridge

Prev by Date: Re: [FD] Security flaw in Full Disclosure mailing list
Next by Date: Re: [FD] Security flaw in Full Disclosure mailing list
Previous by thread: Re: [FD] Security flaw in Full Disclosure mailing list
Next by thread: Re: [FD] Security flaw in Full Disclosure mailing list
Index(es):
- Date
- Thread