[dundee] Concerning mailman security

gordon dunlop zubenel at fedoraproject.org
Mon Aug 6 18:14:57 UTC 2012


On 6 August 2012 10:50, Nicholas Walker <tel0seh at googlemail.com> wrote:

> Hey,
>
> I've just recieved one of the monthly "you're subscribed to this list"
> reminder emails (as if i needed reminding every month, after receiving
> multiple emails every day.)
>
> and noticed that my password for the list was emailed to me as part of the
> content, in *plaintext*.
>
>
> I hope I don't have to remind anyone here how this breaks every rule in
> the book, passwords should ALWAYS be stored hashed, and a user should NEVER
> need to recieve their password.
>
>
> please take a read over this link:
> http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
>
>
> Can this be rectified please? I'd really rather not have one of my
> passwords floating around the internets. I know who hangs out there.
>
>
> Every individual, via the options menu on their personal mailman settings,
can switch off the monthly password reminders if required. I thought people
in general knew this, obviously not.

Gordon




>
> Nick.
>
> --
>
> Nick Walker
> President : The Linux Society
> UAD Ethical Hacker
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at mailman.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/dundee/attachments/20120806/8dbeaebe/attachment.htm>


More information about the dundee mailing list