Great Circle Associates Majordomo-Workers
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Potential 'which' / 'who' security loophole in 1.94
From: Nick Perry <nick @ aboard . co . uk>
Date: Thu, 21 Nov 1996 14:34:23 +0000 (GMT)
To: majordomo-workers @ greatcircle . com, majordomo-users @ greatcircle . com 
I've just been playing around with majordomo to add gobal password
featur to approve and noticed a potential security loophole with
the which command.

Namely, if the setting for which_access is less strict than
who_access, a user who meets the criteria for doing which
but not for doing who may be able to get a list of subscribers
by doing:

which .

which obviously returns a list of all subscribers to all lists
that the sender meets which_access criteria (subject to the limit
imposed by max_which_hits).

This is also a great way to build of a list of email addresses
from spamming!

BASIC RULE OF THUMB:

****** ENSURE which_access is AT LEAST AS STRICT as who_access ******

Nick
 
-- 
Nick Perry                 | AboarD Boats & Yachts Market Ltd
Webmaster Manager          | 7a Fernshaw Road, LONDON, SW10 0TB. UK
Mobile: +44 (0)973 566204  | Tel: +44 (0)171 460 0030  Fax: 0040
                           | http://www.aboard.co.uk
Follow-Ups:
Indexed By Date Previous: Re: another bug fix to 1.94 majordomo.pl
From: Walt Haas <haas@xmission.com>
Next: Re: Potential 'which' / 'who' security loophole in 1.94
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread Previous: Re: Umask not set in 1.94
From: Chan Wilson <cwilson@slurp.neu.sgi.com>
Next: Re: Potential 'which' / 'who' security loophole in 1.94
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Google
 
Search Internet Search www.greatcircle.com