On Thu, 26 Aug 1999, Listserv Admin wrote: > On Wed, 25 Aug 1999, Jessica Rasku wrote: > > On Wed, 25 Aug 1999, KEVIN MCKENZIE wrote: > > > persons address, you can hide these in the script or make the person enter > > > them to be added), then no confirmation request would be generated, and the > > > person added to the list. > > > > This is SCARRY. Any web input form with no confirm I consider > > really bad, but this could possibly be used really maliciously... I'm not > > We will soon be using such a procedure to add students to their course > lists each semester to bypass any confirmation. The list owner completes a > web form, specifying listname, password and their e-mail address (we also > grab all the env variables). The output of this form is fed to a program > which takes the information and builds an ADD job for each list specified. > These ADD jobs are then sent to listserv (and cc:d to a real person). The > "From:" is the Owner and the password is the Owner's passwd so all replies > and errors go to the List Owner. Don't send the actuall add request to your students. The password is there. You don't want that.... > The only problem I anticipate would be if some character obtains an > owner's password for one of these confidential lists and proceeds to > request an update of an existing class list. In this case, the message > from listserv stating that "so many people have been added, etc.," would > go to the real owner and cause sufficient alarm that they would remember > the instructions to contact us. A person could replace the header with the password, bypassing the ``real owner''. So, this isn't safe either... Jessica -- Jessica Rasku, Box 270, Rossland, B.C., V0G 1Y0, (250) 362-5701, LinuxBox: (250) 362-9668. List manager: [log in to unmask] send command help ---- To get help with majordomo or lists ---- To get a list of all lists on server. WWW: <http://www.geocities.com/RainForest/Andes/8749>