e97d74c80a
which_access open -> closed who_access open -> closed max_which_hits 0 -> 1 Those would allow a spammer to harvest all subscriber addresses if not changed by the list admin. Reported on http://online.securityfocus.com/archive/1/310113/2003-02-03/2003-02-09/0 Don't restrict the which arguments as the article suggests, though, because with which_access list and max_which_hits 1, there's no reason to destroy a useful command.
14 lines
867 B
Plaintext
14 lines
867 B
Plaintext
--- config_parse.pl.orig Fri Jan 7 15:00:26 2000
|
|
+++ config_parse.pl Thu Feb 6 20:13:40 2003
|
|
@@ -80,8 +80,8 @@
|
|
'announcements', 'yes', # send sub/unsub audits to list owner
|
|
'get_access', "open\001closed\001list\001list", # open, anyone can access
|
|
'index_access', "open\001closed\001list\001open", # closed, nobody can
|
|
- 'who_access', "open\001closed\001list\001open", # list, only list can access.
|
|
- 'which_access', "open\001closed\001list\001open", # ...more to come...
|
|
+ 'who_access', "open\001closed\001list\001closed", # list, only list can access.
|
|
+ 'which_access', "open\001closed\001list\001closed", # ...more to come...
|
|
'info_access', "open\001closed\001list\001open", #
|
|
'intro_access', "open\001closed\001list\001list", #
|
|
'advertise', '', # if regexp matches address show list
|