Membership information leak through options page.

Bug #2015416 reported by Mark Sapiro
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Committed
Low
Mark Sapiro

Bug Description

This is similar to but different from #1968443. The issue is on a list with private rosters an attempt to log in to the options page with an email address which is not a list member just returns the options login page with no error, but attempt to login with an email address which is a list member returns the page with a 401 status and an `Authentication failed.` error message.

This could be used to fish for membership on a list with private rosters.

Related branches

Revision history for this message
Mark Sapiro (msapiro) wrote :
Changed in mailman:
assignee: nobody → Mark Sapiro (msapiro)
importance: Undecided → Low
status: New → Fix Committed
information type: Private Security → Public
Constance Cail (ccail88)
tags: added: mailman3
Mark Sapiro (msapiro)
tags: removed: mailman3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.