On Wed, 22 Dec 1999 08:58:38 +1100, lsvadmin <[log in to unmask]> wrote:

>The real security problem is that I can
>bookmark pages inside the product that I SHOULDNT be able to.

I did not say you should not be *able* to.  Neither LISTSERV nor any other
product that I am aware of can prevent you from bookmarking any URL you like in
your own web browser.  What the effects of revisting that bookmarked URL at a
later date will be is unpredictable.  It may work or it may not.  

What I thought I said (and I may have been unclear) was that you should not
bookmark beyond the LMGT1 page because that gives you top level access to any
List Owner functions.  (it also bookmarks without the &X= and &Y= login and
password parameters so it is a URL that can be used by and shared with anyone.
They will have to do their own login.).  If you bookmark beyond that page, you
either need to keep several different bookmarks for the various different
functions OR you go to the one function you have bookmarked and then have to
backup to get to another function, OR you may also be bookmarking a function
(such as deleting a user) with what will later be invalid argument parameters.  

In short, the LMGT1 page is the most efficient one to bookmark (IMHO).  It may
well be that since I administer many lists on a large number of servers here at
L-Soft, and that I have the LMGT1 page for over 30 different servers bookmarked
in my browser, that my preferred way of doing things is different from yours.
You may administer only 1-2 lists on one server and you prefer to bookmark
specific individual functions.  This is merely personal preference and different
ways of working.

You even sent me (privately) a URL with the included login and password of the
sort that you are concerned about.  What we discovered is that your server is
behind a firewall and inaccessible from outside anyway so this should reduce
your security concerns.  If you remain concerned that unauthorized persons can
access your machine and do things using your bookmarked URLs then yes this is a
concern, but that is a physical access security concern that is not in
LISTSERV's realm to control and you must take appropriate physical security
measures for your equipment by some other means.  

So far you are the only person who has voiced any concerns over this.  None of
the people whose lists we host here at L-Soft have voiced similar concerns.
None of the people at the many hundreds of other LISTSERV sites have voiced
concerns.  Eric Thomas, the author of the code, who knows exactly how LISTSERV
processes it, has spoken here as well.  I'm reasonably sure they have all had
concerns, and have investigated this matter and reached their own conclusions
about this.  I presume that by their silence or counter argument to your
assertions that they do not share your concerns.

The security exposure you are ranting about is the equivalent exposure of saving
your login userID and password on a post-it note stuck to your computer monitor.
That will never be secure from others with either curious or harmful intent and
everyone knows it and doesn't do that (I hope!)  We will address any inadequacy
in our documentation relating to this point.  But if people insist on publishing
their password and login to the world at large there is really nothing we nor
LISTSERV can be expected to do to prevent this beyond a reminder that it is not
a good idea.