Regarding the CERT security advisory, I was thinking about what
other vulnerabilities majordomo might have.
Correct me if I'm wrong, but the following would seem to me to
be security vulnerabilities:
1) non-private mail lists, any user would be able to subscribe.
2) private mail lists, a user could masquerade as the owner of
the list and subscribe themselves (via telnet to sendmail port).
3) with the above 2 in mind,
thus be able to retrieve archives or digests of any list.
Would this be true?
> CA-94:11 CERT Advisory
> June 9, 1994
> Majordomo Vulnerabilities
> -----------------------------------------------------------------------------
>
> The CERT Coordination Center has received reports of vulnerabilities in all
> versions of Majordomo up to and including version 1.91. These vulnerabilities
> enable intruders to gain access to the account that runs the Majordomo
> software, even if the site has firewalls and TCP wrappers.
--------------------------------------------------------------------------------
Mike Sullivan Bellcore
mbs@bae.bellcore.com Phone: (908) 699-4856
444 Hoes Lane Room RRC-1E221 Fax: (908) 336-2929
Piscataway, NJ 08854
Follow-Ups:
|
|
