Great Circle Associates Majordomo-Users
(November 1999) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: "which @" not exposing all addresses (sendmail 8.8.5,
From: Jeff Welch <jwelch @ cutter . com>
Date: Wed, 03 Nov 1999 11:54:10 -0500
To: Kevin Merrill <kmerrill @ listserv . nses . com>, Majordomo Help <Majordomo-users @ GreatCircle . COM>
In-reply-to: <Pine.LNX.4.04.9911021630060.2438-100000@listserv.nses.com> 
Maybe this has been fixed already?  I'd never heard of it, and it does
sound scary, so I tried to replicate the behavior using several
configurations (which @, which "@", which \@, which "\@") with my
majordomo.  But they all seemed to work ok, each time majordomo responded:

  >>>> which @
  The string '@' appears in the following
  entries in lists served by Majordomo@cutter.com:

  **** No matches found

I'm using Sendmail 8.8.5, majordomo 1.94.4 (rev 1.56).

-- Jeff

At 04:32 PM 11/2/99 -0500, Kevin Merrill wrote:
>Need your expert help - I keep all of my lists set to "noadvertize" so
>that the lists I run will not be easily visible to those not subscrib'ed
>to my ists, but have recently found out that when a user sent my Majordomo
>server a "wh1ch @" command, he got back all e-mail addresses for all lists
>on my server,....seems like a HUGE security hole to me.
>
>Can anyone advise me on a way to prevent this command from working ??
>
>Thanks in Advance,
>
>Kevin Merrill
>
>
>
Follow-Ups:
References:
Indexed By Date Previous: Auto-uh-proving post based on message headers
From: Jim Reisert <Jim_Reisert@mint-tech.com>
Next: Re: Auto-uh-proving post based on message headers
From: "Roger B.A. Klorese" <rogerk@QueerNet.ORG>
Indexed By Thread Previous: Please Advise
From: Kevin Merrill <kmerrill@listserv.nses.com>
Next: Re: "which @" not exposing all addresses (sendmail 8.8.5,
From: "Joe R. Jah" <jjah@cloud.ccsf.cc.ca.us>
Google
 
Search Internet Search www.greatcircle.com