At 10:46 AM 2003-02-07 -0600, Istvan Berkeley wrote:
>Hi there,
>There is a report of a major security hole in most versions of Majordomo
>available at http://www.net-security.org/vuln.php?id=2416
>I suggest folks get on top of this, otherwise the evil spammers may make
>our lives even more hellish.
This is total bullshit. Someone got on the MJ2 list with this crap a few
days ago and irritated everyone there - they were going to publish a "alert".
Hey, I will publish a major security alert, which affects every system: If
you have a weak password, someone can guess it, log in and steal your
data! Here is another security alert: You are subject to data loss
because few systems are strong enough to resist being struck by lightning
or being smashed by a concrete block!
A "major" security hole would be, "Someone can break into your system
because you are running Majordomo", or "Majordomo can be used to relay a
worm". This is actually: The default for "which" is open, and it has been
for 10 years now, so someone can extract e-mail addresses from your system
unless you have closed it. It is the default because Majordomo was
designed in a kinder, gentler day, and everyone who cares changes the
default. As described in the "alert", it is a case of "RTFDOC". Guess
what? You should not be running a MLM *unless* you read the doc, and the
Mj2 leads you through a set of defaults that they suggest you review for
applicability when you set up a new list, and one of them is this one, the
default for which.
You know, I have another alert: You might have meant for no one to sign up
for this list, but the default is to let people sign up! The most
restrictive defaults should be picked in all cases, of course, so the
default should be to not let people sign up! And to not let people use the
list at all! And to restrict all English words from being in a posting,
because if people are allowed to use language in mailing list postings,
they could accidentally give away secrets!
Lots of people have open archives, some, by policy, however misguided,
require that their subscriber lists are public. These defaults are
perfectly appropriate, and, if the reporter had actually bothered to use
Majordomo2, they would have understood the process.
This is known and has been well known for a number of years. It is only
being described as a major hole by someone who wants to inflate their
self-importance.
--
SPAM: Trademark for spiced, chopped ham manufactured by Hormel.
spam: Unsolicited, Bulk E-mail, where e-mail can be interpreted generally
to mean electronic messages designed to be read by an individual, and it
can include Usenet, SMS, AIM, etc. But if it is not all three of
Unsolicited, Bulk, and E-mail, it simply is not spam. Misusing the term
plays into the hands of the spammers, since it causes confusion, and
spammers thrive on confusion. Spam is not speech, it is an action, like
theft, or vandalism. If you were not confused, would you patronize a spammer?
Nick Simicich - njs@scifi.squawk.com - http://scifi.squawk.com/njs.html
Stop by and light up the world!
Follow-Ups:
References:
|
|
