On Wed, 25 Aug 1999, Jessica Rasku wrote:
> On Wed, 25 Aug 1999, KEVIN MCKENZIE wrote:
> > persons address, you can hide these in the script or make the person enter
> > them to be added), then no confirmation request would be generated, and the
> > person added to the list.
>
>         This is SCARRY.  Any web input form with no confirm I consider
> really bad, but this could possibly be used really maliciously...  I'm not

We will soon be using such a procedure to add students to their course
lists each semester to bypass any confirmation. The list owner completes a
web form, specifying listname, password and their e-mail address (we also
grab all the env variables). The output of this form is fed to a program
which takes the information and builds an ADD job for each list specified.
These ADD jobs are then sent to listserv (and cc:d to a real person). The
"From:" is the Owner and the password is the Owner's passwd so all replies
and errors go to the List Owner.

The only problem I anticipate would be if some character obtains an
owner's password for one of these confidential lists and proceeds to
request an update of an existing class list.  In this case, the message
from listserv stating that "so many people have been added, etc.," would
go to the real owner and cause sufficient alarm that they would remember
the instructions to contact us.

--trish
---------------
Trish Forrest, Queen's University