Skip Navigational Links
LISTSERV email list manager
LISTSERV - COMMUNITY.EMAILOGY.COM
LISTSERV Menu
Log In
Log In
LISTSERV 17.5 Help - LSTOWN-L Archives
LISTSERV Archives
LISTSERV Archives
Search Archives
Search Archives
Register
Register
Log In
Log In

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

Menu
LISTSERV Archives LISTSERV Archives
LSTOWN-L Home LSTOWN-L Home

Log In Log In
Register Register

Subscribe or Unsubscribe Subscribe or Unsubscribe

Search Archives Search Archives
Options: Use Forum View

Use Proportional Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: 1.8d beta problem.
From:
Eric Thomas <[log in to unmask]>
Reply To:
LISTSERV list owners' forum <[log in to unmask]>
Date:
Wed, 17 Jun 1998 19:36:59 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (29 lines)
>I clicked on "get a new LISTSERV password first" link on the "Login Required" page, filled
>in the email address and both fields for the password.  Much to my chagrin the
>confirmation request for a list management password wasn't sent to the site owner email
>address or even the list owner address - the confirmation was sent back to the email
>address of the requestor.

Passwords are individual and, well, private. Their sole function is to confirm that you are who
you claim to be, they do not grant any kind of privileges. The list owner should not know your
password any more than you should know his! Anyone can request a LISTSERV password to
authenticate future commands.

>Now while the this new user cannot manage the list (I'm assuming because the email address
>isn't one of the listed owners) it does cause me a bit of concern because the person can
>get to the list management form for managing subscribers, edit headers and templates,etc.

I assume you mean the LMGT1 screen. This screen allows you to select a list to manage, and
then move on to various screens if you have owner privileges for the selected list. Until you
have selected a list, LISTSERV cannot know whether you are the owner! Well, I guess it could
check all lists, but there are sites with thousands of lists. At any rate, you cannot do anything
without owner privileges, the web interface does not manipulate lists directly but sends
off requests to LISTSERV through a channel that will only accept commands authenticated by
a valid password (which as you know is cookie confirmed). Any user could install an evaluation
copy of LISTSERV on his PC (where he would be the owner), navigate the screens, note the
URL and/or form fields, and construct a web page that would submit the same thing to your
server. However it wouldn't work, because he wouldn't have owner privileges on your server, and
if he used your e-mail address, he wouldn't know your password.

  Eric

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM CataList Email List Search Powered by LISTSERV