Membership information leak through options page.
Bug #2015416 reported by
Mark Sapiro
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Fix Committed
|
Low
|
Mark Sapiro | ||
Bug Description
This is similar to but different from #1968443. The issue is on a list with private rosters an attempt to log in to the options page with an email address which is not a list member just returns the options login page with no error, but attempt to login with an email address which is a list member returns the page with a 401 status and an `Authentication failed.` error message.
This could be used to fish for membership on a list with private rosters.
Related branches
Revision history for this message
| Mark Sapiro (msapiro) wrote | #1 |
| Changed in mailman: | |
| assignee: | nobody → Mark Sapiro (msapiro) |
| importance: | Undecided → Low |
| status: | New → Fix Committed |
| information type: | Private Security → Public |
To post a comment you must log in.
