Great Circle Associates Majordomo-Workers
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Potential 'which' / 'who' security loophole in 1.94
From: Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date: 21 Nov 1996 10:36:12 -0600
To: majordomo-workers @ greatcircle . com, majordomo-users @ greatcircle . com
In-reply-to: Nick Perry's message of Thu, 21 Nov 1996 14:34:23 +0000 (GMT)
References: <199611211434.OAA26418@java.aboard.co.uk> 
>>>>> "NP" == Nick Perry <nick@aboard.co.uk> writes:

NP> Namely, if the setting for which_access is less strict than who_access,
NP> a user who meets the criteria for doing which but not for doing who may
NP> be able to get a list of subscribers by doing:

NP> which .

Read majordomo.cf and understand $max_which_hits.  which is a useful
command for people who are trying to unsubscribe themselves but don't know
exactly which address they are subscribed under, and restricting it (even
to just list members) should be dome with much thought.

Please try to understand the configuration options you have before you yell
"security hole".  We have dome some thinking on the matter.
-- 
      Jason L. Tibbitts III - tibbs@uh.edu - 713/743-8684 - 221SR1
System Manager:  University of Houston High Performance Computing Center
                1994 PC800 "Kuroneko"      DoD# 1723
Follow-Ups:
References:
Indexed By Date Previous: Potential 'which' / 'who' security loophole in 1.94
From: Nick Perry <nick@aboard.co.uk>
Next: Re: Load limits
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread Previous: Potential 'which' / 'who' security loophole in 1.94
From: Nick Perry <nick@aboard.co.uk>
Next: Re: Potential 'which' / 'who' security loophole in 1.94
From: Nick Perry <nick@aboard.co.uk>
Google
 
Search Internet Search www.greatcircle.com