mbs@bae.bellcore.com writes:
# Regarding the CERT security advisory, I was thinking about what
# other vulnerabilities majordomo might have.
# Correct me if I'm wrong, but the following would seem to me to
# be security vulnerabilities:
#
# 1) non-private mail lists, any user would be able to subscribe.
# 2) private mail lists, a user could masquerade as the owner of
# the list and subscribe themselves (via telnet to sendmail port).
# 3) with the above 2 in mind,
# thus be able to retrieve archives or digests of any list.
#
# Would this be true?
ABSOLUTELY!
We've never claimed that Majordomo was secure against this type of
thing.
If you read the original Majordomo paper (available for anonymous FTP
from FTP.GreatCircle.COM, file pub/majordomo/majordomo.paper.ps.Z), it
talks about how the "security features" in Majordomo (password
protection on the list-owner commands) are mainly there to keep people
from making a nuisance of themselves.
There is talk of adding PGP-based authentication to version 2.0 of
Majordomo. I'm sure this will shortly be discussed here on the
Majordomo-Workers mailing list.
-Brent
--
Brent Chapman | Great Circle Associates | Call or email for info about
Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates
|
|
