Security hole: passwords mailed in clear

Bug #265179 reported by Lpd-users
44
This bug affects 8 people
Affects Status Importance Assigned to Milestone
GNU Mailman
Won't Fix
Medium
Unassigned

Bug Description

I recently signed up on a SourceForge mailing list. The software mailed a
confirmation notice to my mailbox, with the password in clear in the
message. This is a basic security hole. I reported this as a SourceForge
bug, and they said "Contact the gnu-mailman project."

In my opinion, passwords should never be mailed in clear, especially not to
the e-mail address with which they are associated. Please consider changing
this.

[http://sourceforge.net/tracker/index.php?func=detail&aid=209499&group_id=103&atid=100103]

Revision history for this message
Thomas Wouters (thomas) wrote :

The Mailman password is in no way a secure password. Mailman is intended
for a wide variety of users, most of which are unable to remember even the
simplest password ;)

The Mailman password is not used as an authentication method, but more as
a *confirmation* method. You'll get a password reminder every month or so
(if the list admin and site admin enabled that) and the only thing you use
the password for are for unsubscribing, changing your options and viewing
the private archive (if any.)

In future versions of Mailman it might be possible to use external
passwords for mailinglist subscribers, but currently the infrastructure for
that is missing. It's on the TODO list, in any case :)

Revision history for this message
Lpd-users (lpd-users) wrote :

It's OK with me if you want to close this report; in my opinion, the
Resolution should say "Wont fix".

Revision history for this message
Bburkhart (bburkhart) wrote :

Originator: NO

Hello everyone,

to me, mailing passwords in clear text is never acceptable. In some
setups. one never knows who else is looking at the mail.

The lack of biological RAM in layer 8 is also not an excuse. There are
better ways of dealing with the password remembering problem.

Anyway, mailman is now out of question and also uninstalled from my
machine.

Cheers
Benjamin

Revision history for this message
Mark Sapiro (msapiro) wrote :

Originator: NO

This will finally be fixed in Mailman 2.2.

Revision history for this message
Jimpop-users (jimpop-users) wrote :

Originator: NO

Did you read the text on the SF mailinglist subscription page? It goes
like this:

  "You may enter a privacy password below. This provides only mild
security, but should
   prevent others from messing with your subscription. Do not use a
valuable password
   as it will occasionally be emailed back to you in cleartext."

So, it's not a "bug", it's a "user following the instructions" issue. ;-)

-Jim P.

Revision history for this message
W. Prins (wprins) wrote :

Ran into this today, believe it or not, on the Python mailing list. I'm surprised that bad security is justified by referring to bad policy documentation... as if the fact that a bad idea written as policy on a subscription page makes it suddenly a good idea or beyond criticism. IMHO Users should not be told to "follow instructions" to compensate for lax handling of password data, no matter how trivial it may seem.

Revision history for this message
Barry Warsaw (barry) wrote : Re: [Bug 265179] Re: Security hole: passwords mailed in clear

On Aug 01, 2012, at 12:26 PM, W. Prins wrote:

>Ran into this today, believe it or not, on the Python mailing list. I'm
>surprised that bad security is justified by referring to bad policy
>documentation... as if the fact that a bad idea written as policy on a
>subscription page makes it suddenly a good idea or beyond criticism.
>IMHO Users should not be told to "follow instructions" to compensate for
>lax handling of password data, no matter how trivial it may seem.

You can turn off password reminders in your own preferences. Password
reminders are removed in Mailman 3 and passwords are not stored in the clear
in Mailman 3.

Changed in mailman:
status: Invalid → Confirmed
status: Confirmed → Fix Released
Barry Warsaw (barry)
Changed in mailman:
status: Fix Released → Invalid
Revision history for this message
Mark Sapiro (msapiro) wrote :

Won't fix applies to Mailman 2.1. Mailman 3 does not store clear text passwords.

Changed in mailman:
status: Invalid → Won't Fix
Revision history for this message
Ryan Foster (rytoex) wrote :

When a new list is created, the list owner is emailed the password in plain text, and I did not see a preference or option to disable this notification. This was on Mailman 2.1.14, but I did not see anything in the changelogs to indicate that this behavior would be different in 2.1.16.

Revision history for this message
Mark Sapiro (msapiro) wrote :

Ryan Foster (rytoex) wrote:

> When a new list is created, the list owner is emailed the password in plain text ...

If you create the list with bin/newlist, use the -q/--quiet option to supress the list owner notice.

If you use the web interface, set 'Send "list created" email to list owner?' to No.

Revision history for this message
Mark Sapiro (msapiro) wrote :

One caveat on the above. If you set 'Auto-generate initial list password?' to Yes and 'Send "list created" email to list owner?' to No in the web list create process, there's no way to find out the list password. You'd have to use bin/change_pw or equivalent to set a password you know.

Revision history for this message
SonhadorPR (sonhadorpr) wrote :

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.