Mailman on SSL sends passwords in plain text
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Fix Released
|
High
|
Unassigned | ||
Bug Description
I have tried putting Mailman on a secure path of my
server on an https url. It seemed to work approximately
when adding the following directive in apache:
RewriteCond %{HTTPS} !=on
RewriteRule /mailman/(.*)
https:/
However, I have sniffed the TCP/HTTP traffic during a list
creation and I have seen that all the form is posted IN
CLEAR. This is normal in fact as we send that to the
http link first (see Bug Request #1263219). Therefore
the whole test is sent in clear and only afterwards the
client receives back the document move to https from
apache to redirect to the proper page.
I think that this could be solved if all links of the
mailman binaries (admin, create and so forth) are taking
dynamically the link specified in the mm_cfg.py, in the
DEFAULT_URL_HOST tag.
However maybe there is another clean way of putting
that on a secure url. If so I would be interested in how to
do that because I didn't find anything about that subject
appart people doing all like I did.
Thanks,
Daniel
[http://
| Doolyo (doolyo) wrote | #1 |
| Mark Sapiro (msapiro) wrote | #2 |
P.S.:
I have seen that we can use fix_url.py to fix the URL for a
specific list. However, it does not seem to fix the links
of /mailman/create and the others and thus does not solve
the problem, as I want to have the SSL on that page.