Majordomo-Users: Re: Which @

Majordomo-Users
(February 2003)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Which @
From:	George Booth <G . Booth @ usm . edu>
Date:	Fri, 21 Feb 2003 16:15:30 -0600
To:	majordomo-users @ greatcircle . com
User-agent:	Internet Messaging Program (IMP) 3.1

We used this to fix the 'which @' bug...it's worked for us.

-----------------------

Majordomo Mailing List Address Exposure

Affected Products:
Majordomo (all versions)

Description:
Under the default configuration of Majordomo, a remote attacker can
extract all the addresses on Majordomo mailing lists by sending a
simple query to the daemon. Spammers can use this method to obtain
large email address lists associated with specific interest groups.

Risk: Remote attackers can extract mailing lists from Majordomo servers.

Deployment: Significant.
Majordomo is a popular open source mailing list manager for Unix that
has been widely used since its introduction in 1992. The vulnerability
is present in Majordomo's default configuration.

Ease of Exploitation: Trivial.
An attacker only needs to send the command "which" with an argument
"@" to a listening daemon (via email) and the daemon will return all
subscribed email addresses containing an "@" character (matches all
addresses). The attacker does not need to be a list member to execute
this command.

Status: Vendor confirmed. The simplest solution is to change the
configuration settings. A patch for Majordomo 1.94.5 is included in
the advisory. The vendor has also released a new version of Majordomo 2
(alpha) that protects the mailing list information by default.

References:
Advisory by Marco van Berkum:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0030.html

Vendor Web Site:
http://www.greatcircle.com/majordomo/

Tutorial on Sending Commands to Majordomo:
https://lists.stanford.edu/majordomo_basics.html

Original 1992 Usenix paper by D. Brent Chapman on Majordomo:
http://www.greatcircle.com/majordomo/majordomo.lisa6.pdf

Council Site Actions:
The affected software is in use at two of the council sites.
The first site has already changed its majordomo configuration.
The second site has a small number of machines running the software,
all of which are supported by individual departments.  They feel the
risk is low enough to not warrant action at this time.  They believe
individual departments will update the software on their own.

----- End forwarded message -----



**********
George Booth                        G.Booth@usm.edu
Systems Analyst II                  ghbooth@ocean.st.usm.edu
Majordomo Admin                     pan@arcadia.otr.usm.edu
Office of Technology Resources      http://ocean.st.usm.edu/~ghbooth
             University of Southern Mississippi

                        ex phantasma veritas...
                                in illusion, truth...

Indexed By Date	Previous:	Re: FW: blacklist with majordomo From: Gary Thandi <Gary.Thandi@360.net>
Indexed By Date	Next:	Re: which @ From: "Joe R. Jah" <jjah@cloud.ccsf.cc.ca.us>
Indexed By Thread	Previous:	Re: which @ From: "Joe R. Jah" <jjah@cloud.ccsf.cc.ca.us>
Indexed By Thread	Next:	Re: alias include file problem with MajorCool From: Daniel Liston <dliston@sonny.org>