LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Bookmarks that carry authenticating arguements to wa

lsvadmin <[log in to unmask]>

Mon, 20 Dec 1999 17:04:19 +1100

text/plain (57 lines)

okay, that's enough;

If you have questions about this problem, try contacting your own
security people or people you deem as reputable in the security
industry and asking them what they think. I did, and their answer was
the same as I suspected. This is a security problem. Bookmark one of
the pages past the login screen and see what I mean, test it from
different browsers and see what I mean.

If you feel the need to make ridiculous comparisons between common
administration practices here and a security problem with a web based
software application then at least think of the others on the list here
having to listen to it as well. I will not stand by silently while you belittle
a company I work for and the people I work with who are extremely
intelligent and skilled when it comes to realising the potential for and
dealing with security abuses.

I have not made any personal attacks on anyone, I have not made any
erroneous statements about the problem here with wa and bookmarked
urls. If I were you I would be more concerned testing it out myself and
asking people who can say what you should be looking for and fixing if
you feel your listserv site security to be jeopardized by this problem.

My apologies for the abruptness of this mail to all other list subscribers,
there was no return address to keep this off list.

ICoS
[log in to unmask]

On 19 Dec 99, at 22:10, Jason Filley wrote:

> Greetings!
>
> I didn't really want to jump in here, but I can't help myself.  Why exactly
> are you allowing your users to access each other's personal files (viz.
> bookmarks)?  Do you also allow them to access each other's mailboxes?  Is
> your LISTSERV web-interface using an SSL connection?  Do you allow your
> users to send SMTP mail commands to LISTSERV (I'd imagine so)?  Well, SMTP
> travels in cleartext, so anyone on your network with a handy little sniffer
> (NT's Network Monitor, for instance) can just sit there and watch the mail,
> including passwords, flying over the network.  Where *exactly* is the
> problem with bookmarks here?
>
> >From what you've said, it seems that your issue is that users in a poorly
> secured environment can access each other's bookmarks (not LISTSERV's fault)
> or that they can send their passwords to other people (not LISTSERV's
> fault).  It looks to me as though you're just chasing windmills.  If your
> list owners (or site manager, for that matter) can't be trusted to not send
> passwords to large groups of strangers then don't make them owners.
>
> And I've taken your advice and looked at it -- I've looked at it for 1 1/2
> years now.  It works fine.
>
> regards,
> jason

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM