# Regarding the CERT security advisory, I was thinking about what
# other vulnerabilities majordomo might have.
# Correct me if I'm wrong, but the following would seem to me to
# be security vulnerabilities:
# 1) non-private mail lists, any user would be able to subscribe.
# 2) private mail lists, a user could masquerade as the owner of
# the list and subscribe themselves (via telnet to sendmail port).
# 3) with the above 2 in mind,
# thus be able to retrieve archives or digests of any list.
# Would this be true?
We've never claimed that Majordomo was secure against this type of
If you read the original Majordomo paper (available for anonymous FTP
from FTP.GreatCircle.COM, file pub/majordomo/majordomo.paper.ps.Z), it
talks about how the "security features" in Majordomo (password
protection on the list-owner commands) are mainly there to keep people
from making a nuisance of themselves.
There is talk of adding PGP-based authentication to version 2.0 of
Majordomo. I'm sure this will shortly be discussed here on the
Majordomo-Workers mailing list.
Brent Chapman | Great Circle Associates | Call or email for info about
Brent@GreatCircle.COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates