>I clicked on "get a new LISTSERV password first" link on the "Login Required" page, filled
>in the email address and both fields for the password.  Much to my chagrin the
>confirmation request for a list management password wasn't sent to the site owner email
>address or even the list owner address - the confirmation was sent back to the email
>address of the requestor.

Passwords are individual and, well, private. Their sole function is to confirm that you are who
you claim to be, they do not grant any kind of privileges. The list owner should not know your
password any more than you should know his! Anyone can request a LISTSERV password to
authenticate future commands.

>Now while the this new user cannot manage the list (I'm assuming because the email address
>isn't one of the listed owners) it does cause me a bit of concern because the person can
>get to the list management form for managing subscribers, edit headers and templates,etc.

I assume you mean the LMGT1 screen. This screen allows you to select a list to manage, and
then move on to various screens if you have owner privileges for the selected list. Until you
have selected a list, LISTSERV cannot know whether you are the owner! Well, I guess it could
check all lists, but there are sites with thousands of lists. At any rate, you cannot do anything
without owner privileges, the web interface does not manipulate lists directly but sends
off requests to LISTSERV through a channel that will only accept commands authenticated by
a valid password (which as you know is cookie confirmed). Any user could install an evaluation
copy of LISTSERV on his PC (where he would be the owner), navigate the screens, note the
URL and/or form fields, and construct a web page that would submit the same thing to your
server. However it wouldn't work, because he wouldn't have owner privileges on your server, and
if he used your e-mail address, he wouldn't know your password.

  Eric