Perry E. Metzger writes:
> > Note the *in a server-side CGI*. AFAICS, we're done: we're safe.
>
> You're misinterpreting. The issue is that some server side systems
> also use web APIs of various kinds.
>
> > Mailman (as we distribute it) doesn't make *outgoing* HTTP
> > connections, it
Christian F Buser via Mailman-Users writes:
> "from what I can see from the text files you sent me, it's a matter of
> the mailing list configuration.
> The sender ( From: ) needs to be set as the mailing list address and not
> as the original sender (eg, ek...@yahoo.com)
Your provider,
On 7/23/16 8:30 AM, Christian F Buser via Mailman-Users wrote:
> I have received several bounce notices for subscribers of my list with
> the following contents:
...
>
> - but all mailing lists I know usually have the original sender's name
> in the From-field...
>
> So what am I doing wrong here
On 7/23/16 8:19 AM, Perry E. Metzger wrote:
>
> Well, there are implicit things that use HTTP_PROXY. If mailman makes
> any http requests itself, or calls anything that does, it might cause
> trouble that it is in the environment. I take it that this is *not*
> the case?
Yes. That is not the cas
I have received several bounce notices for subscribers of my list with
the following contents:
Action: failed
Final-Recipient:rfc822;ek...@yahoo.com
Status: 5.0.0
Remote-MTA: dns; mta7.am0.yahoodns.net
Diagnostic-Code: smtp; 554 5.7.9 Message not accepted for policy reasons.
Seehttps://hel
On Sat, 23 Jul 2016 16:36:30 +0900 "Stephen J. Turnbull"
wrote:
> > It works by an attacker inserting an http_proxy header into the
> > headers which it presents to the web server, which are then
> > passed in the HTTP_PROXY environment variable to the CGI script.
> > I think that there aren't
On Fri, 22 Jul 2016 19:59:45 -0700 Mark Sapiro
wrote:
> And Mailman 2.1's CGIs will do absolutely nothing with an HTTP_PROXY
> environment variable. They won't look for it even if it's there.
> They look at things like query strings and POST data to determine
> what to do and then they write HTML
On Fri, 22 Jul 2016, Mark Sapiro wrote:
That's not the way I read it, but if you think that's the case, then
you've already decided that Mailman 2.1 is vulnerable depending on the
specific web server configuration. GNU Mailman has no control over how
you set up your web server to serve Mailman's
Perry E. Metzger writes:
> > > Er, it uses CGI scripts, doesn't it? That's what it means to
> > > "deploy code" in this context.
I can think of several alternative interpretations (such as
browser-side Javascript, which was my first take when I read those
words -- I haven't looked at the actual
