Why is this Postorius API public? - Mailman-users - lists.mailman3.org

newer
Mailman3 reinstall fail, need some...

Why is this Postorius API public?

older
New MM3 plugin: mailman_sieve

Stanisław Findeisen

10 Mar 2022 10 Mar '22

8:49 p.m.

Hello

I've just noticed that Postorius API is publicly accessible from the outside to an unauthenticated user, for example:

https://HOST/postorius/api/templates/list/LISTNAME.VHOST/list:member:regular...

Is this what is expected? Or a misconfiguration? How to fix this?

This is GNU Mailman 3.1.

Thanks!

Reply

Sign in to reply online Use email software

Show replies by date

Mark Sapiro

10 Mar 10 Mar

9:48 p.m.

On 3/10/22 12:49, Stanisław Findeisen via Mailman-users wrote:

Hello

I've just noticed that Postorius API is publicly accessible from the outside to an unauthenticated user, for example:

https://HOST/postorius/api/templates/list/LISTNAME.VHOST/list:member:regular...

Is this what is expected? Or a misconfiguration? How to fix this?

It is expected. That API only serves Postorius configured email templates. Do you think that is sensitive information?

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Reply

Sign in to reply online Use email software

989

Age (days ago)

989

Last active (days ago)

Download

1 comments

2 participants

tags

participants (2)

Mark Sapiro
Stanisław Findeisen