[BALUG-Admin] Unauthenticated subscriptions to Mailman prior to v. 2.1.16

Rick Moen rick@linuxmafia.com
Tue Jul 26 02:05:56 UTC 2022

Here is what I was thinking of, a security weakness in Mailman's WebUI
for subscribing, that permitted spammers to sneak arbitrary addresses 
onto a Mailman list's roster by generating forged POST datastreams from
offsite.  Description of the bugfix, which was merged starting

   There is a new mm_cfg.py setting SUBSCRIBE_FORM_SECRET which will put
   a dynamically generated, hidden hash in the listinfo subscribe
   form and check it upon submission. Setting this will prevent automated
   processes (bots) from successfully POSTing web subscribes without first
   retrieving and parsing the form from the listinfo page. The form must also be
   submitted no later than FORM_LIFETIME nor no earlier than
   SUBSCRIBE_FORM_MIN_TIME after retrieval. Note that enabling this
   will break any static subscribe forms on your site. See the description
   in Defaults.py for more info


SUBSCRIBE_FORM_SECRET must be set to "write your own string here" 
in mm_cfg.py (a site-specific hash written by the site admin.

Mailman then embeds a CSRF (cross-site request forgery) token into its
subscription form.  Mailman will also enforce that the form be submitted
at least five seconds after it was generated.

Michael, please confirm that is set.

More information about the BALUG-Admin mailing list