Membership information leak through options page.
Bug #2015416 reported by
Mark Sapiro
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Committed
|
Low
|
Mark Sapiro |
Bug Description
This is similar to but different from #1968443. The issue is on a list with private rosters an attempt to log in to the options page with an email address which is not a list member just returns the options login page with no error, but attempt to login with an email address which is a list member returns the page with a 401 status and an `Authentication failed.` error message.
This could be used to fish for membership on a list with private rosters.