> Equally noteworthy - once the password is compromised, the web
> interface is pretty much a red herring, as pretty much everything
> available through it is *also* available via e-mail based command
> submission.
>
> The *real* question is "is there any way to exploit the wa.cgi
> interface such that you can do things *without* that password/cookie?"

Other than archive browsing, anything you can do with WA can also be done with TCPGUI, e-mail, etc. All right, some of the functions would be a challenge with a modern e-mail client that would word wrap and what not, but that is another story :-) Otherwise, WA is just a front-end to TCPGUI. It has no special privileges in LISTSERV, instead, it logs in to LISTSERV with your e-mail address and password (or connects anonymously for functions requiring no privileges). The only potential exposure is in the archive browsing function, which does have read access to archive files.

If you can capture the login ticket with a network sniffer or whatever, you can use it for a set period of time (normally 15 minutes), then it expires. Use SSL to prevent this (even if you can crack the packets, by the time you are done the ticket will have expired). Of course, public SSL certificates cost real money and self-signed certificates are a great way to make people back away from your site when they see the dire warnings in their browser, but that is also another story.

  Eric