Great Circle Associates Majordomo-Users
(March 2004)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: security hole
From: John Sechrest <sechrest @ peak . org>
Date: Sat, 27 Mar 2004 12:50:14 -0800
To: "MajorDomo Administrator, MSER:EX" <Majordomo . Admin @ gems1 . gov . bc . ca>
Cc: "'Majordomo-Users @ greatcircle . com'" <Majordomo-Users @ greatcircle . com>
In-reply-to: Your message of Fri, 26 Mar 2004 14:06:24 PST. <78C662A57529A14FAD49FC8819F5E2D40F6CE106@swan.bcsc.gov.bc.ca>



The connection from an alias to the outgoing alias is arbitrary.

You do not need to call it that name.

Specifically, by adding a long randomly generated key,: 
  owner-l_tk_testlist: l_tk_testlist-owner
  l_tk_testlist: "|/home/majordomo/wrapper resend -l l_tk_testlist -h
  listsserver.ca -f l_tk_testlist-owner l_tk_testlist-outgoing"
  l_tk_testlist-owner: me@myaddress
  l_tk_testlist-approval: l_tk_testlist-owner
  owner-l_tk_testlist-approval: l_tk_testlist-owner
  l_tk_testlist-outgoing: :include:/home/majordomo/lists/l_tk_testlist
  owner-l_tk_testlist-outgoing: l_tk_testlist-owner


Can become: 

  owner-l_tk_testlist: l_tk_testlist-owner
  l_tk_testlist: "|/home/majordomo/wrapper resend -l l_tk_testlist -h
  listsserver.ca -f l_tk_testlist-owner l_tk_testlist-outgoing-08DAEA32DAE99"
  l_tk_testlist-owner: me@myaddress
  l_tk_testlist-approval: l_tk_testlist-owner
  owner-l_tk_testlist-approval: l_tk_testlist-owner
  l_tk_testlist-outgoing-08DAEA32DAE99: :include:/home/majordomo/lists/l_tk_testlist
  owner-l_tk_testlist-outgoing: l_tk_testlist-owner


So long as
  l_tk_testlist: "|/home/majordomo/wrapper resend -l l_tk_testlist -h
  listsserver.ca -f l_tk_testlist-owner l_tk_testlist-outgoing-08DAEA32DAE99"
					^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Matches 
  l_tk_testlist-outgoing-08DAEA32DAE99: :include:/home/maj....
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


And in this way no one should be able to see the relationship to the 
unfiltered list.





"MajorDomo Administrator, MSER:EX" <Majordomo.Admin@gems1.gov.bc.ca> writes:

 % We noticed a bad security hole with our majordomo lists.  It was brought to
 % our attention by the list subscribers who were getting spoofed virus
 % rejections.  The rejections were going to the listname-outgoing address and
 % therefore bypassing the requirement for moderation.
 % 
 % Has anyone else had this problem and how did they patch it?
 % 
 % a template of aliases file config
 % 
 % owner-l_tk_testlist: l_tk_testlist-owner
 % l_tk_testlist: "|/home/majordomo/wrapper resend -l l_tk_testlist -h
 % listsserver.ca -f l_tk_testlist-owner l_tk_testlist-outgoing"
 % l_tk_testlist-owner: me@myaddress
 % l_tk_testlist-approval: l_tk_testlist-owner
 % owner-l_tk_testlist-approval: l_tk_testlist-owner
 % l_tk_testlist-outgoing: :include:/home/majordomo/lists/l_tk_testlist
 % owner-l_tk_testlist-outgoing: l_tk_testlist-owner
 % 
 % Thanks,
 % Majordomo Support   
 % mailto:Majordomo.Admin@gems1.gov.bc.ca

-----
John Sechrest          .         Helping people use
                        .           computers and the Internet
                          .            more effectively
                             .                      
                                 .       Internet: sechrest@peak.org
                                      .   
                                              . http://www.peak.org/~sechrest


References:
  • security hole
    From: "MajorDomo Administrator, MSER:EX" <Majordomo.Admin@gems1.gov.bc.ca>
Indexed By Date Previous: security hole
From: "MajorDomo Administrator, MSER:EX" <Majordomo.Admin@gems1.gov.bc.ca>
Next: Re: security hole
From: "Roger B.A. Klorese" <rogerk@queernet.org>
Indexed By Thread Previous: security hole
From: "MajorDomo Administrator, MSER:EX" <Majordomo.Admin@gems1.gov.bc.ca>
Next: Re: security hole
From: "Roger B.A. Klorese" <rogerk@queernet.org>

Google
 
Search Internet Search www.greatcircle.com