Great Circle Associates Majordomo-Users
(June 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Majordomo SECURITY problem and fix
From: Dan Simoes <dans @ ans . net>
Date: Wed, 8 Jun 1994 08:48:02 -0400 (EDT)
To: de5 @ de5 . CTD . ORNL . GOV (Dave Sill)
Cc: bugtraq @ crimelab . com, majordomo-users @ greatcircle . com, majordomo-workers @ ans . net
In-reply-to: <199406081234.IAA09861@de5.CTD.ORNL.GOV> from "Dave Sill" at Jun 8, 94 08:34:37 am 
> Knowing that the bugtraq list used Majordomo, I asked about the
> security problem on the majordomo-users mailing list.  I was forwarded
> a copy of an announcement that was sent to the majordomo-workers list.
> 
> I'm not real pleased that I had to actively search for this...

I think the reasoning was that people on the -users list might
try to exploit it, whereas people on the -workers list are
trying to plug it; just a guess though.

For folks running 1.62 out of the box, here's what I think is the
quickest fix (as yet unverified but implemented):

cd ~majordom
chmod 000 wrapper 

edit the following files and change occurance of "$to" or "$reply_to"
to -t as stated in the note sent by John R:

majordomo.cf line 21
majordomo.pl line 225
resend line 326,328
new-list 40
request-answer 40

when done,

chmod 6775 wrapper

Please let me know if this is insufficient.

| Dan |
-- 
Dan Simoes			          dans@ans.net
Associate Programmer		         (914) 789-5378
Advanced Network & Services               Elmsford, NY
References:
Indexed By Date Previous: Majordomo SECURITY problem and fix
From: Dave Sill <de5@de5.CTD.ORNL.GOV>
Next: Re: Security hole?
From: abeckett@fmlrnd.co.uk (Andrew Beckett)
Indexed By Thread Previous: Majordomo SECURITY problem and fix
From: Dave Sill <de5@de5.CTD.ORNL.GOV>
Next: Re: Majordomo SECURITY problem and fix
From: Brent Chapman <brent@mycroft.GreatCircle.COM>
Google
 
Search Internet Search www.greatcircle.com