On Thu, 26 Aug 1999, Listserv Admin wrote:
> On Wed, 25 Aug 1999, Jessica Rasku wrote:
> > On Wed, 25 Aug 1999, KEVIN MCKENZIE wrote:
> > > persons address, you can hide these in the script or make the person enter
> > > them to be added), then no confirmation request would be generated, and the
> > > person added to the list.
> >
> > This is SCARRY. Any web input form with no confirm I consider
> > really bad, but this could possibly be used really maliciously... I'm not
>
> We will soon be using such a procedure to add students to their course
> lists each semester to bypass any confirmation. The list owner completes a
> web form, specifying listname, password and their e-mail address (we also
> grab all the env variables). The output of this form is fed to a program
> which takes the information and builds an ADD job for each list specified.
> These ADD jobs are then sent to listserv (and cc:d to a real person). The
> "From:" is the Owner and the password is the Owner's passwd so all replies
> and errors go to the List Owner.
Don't send the actuall add request to your students. The password
is there. You don't want that....
> The only problem I anticipate would be if some character obtains an
> owner's password for one of these confidential lists and proceeds to
> request an update of an existing class list. In this case, the message
> from listserv stating that "so many people have been added, etc.," would
> go to the real owner and cause sufficient alarm that they would remember
> the instructions to contact us.
A person could replace the header with the password, bypassing the
``real owner''. So, this isn't safe either...
Jessica
--
Jessica Rasku, Box 270, Rossland, B.C., V0G 1Y0, (250) 362-5701,
LinuxBox: (250) 362-9668.
List manager: [log in to unmask]
send command help ---- To get help with majordomo
or lists ---- To get a list of all lists on server.
WWW: <http://www.geocities.com/RainForest/Andes/8749>
|