Majordomo-Workers: Re: multiple lists commands attack --> majordomo vulnerabity?

Majordomo-Workers
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: multiple lists commands attack --> majordomo vulnerabity?
From:	John R Levine <johnl @ iecc . com>
Date:	Fri, 31 Oct 1997 12:04:49 -0500 (EST)
To:	Marko Hotti <mhotti @ lists . oulu . fi>
Cc:	majordomo-workers @ greatcircle . com
In-reply-to:	<Pine.LNX.3.96.971031074404.7285N-100000@lists.oulu.fi>

> The other mailing list server I'm running and administering at the moment
> was attacked by some idiot who had sent about 50 subsequent messages to
> the majordomo address - each message containing +100 lines of the
> majordomo command 'lists'. 

For a quick hack, at line 166, change this line:

	while (<>) {

to something like this:

	while (<> and $count<4) {

to limit each incoming message to three commands.

In the do_lists routine you might also add something like:

	$count += 100;

so that after one "lists" command it decides it's done.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4  2D AC 1E 9E A6 36 A3 47

References:

multiple lists commands attack --> majordomo vulnerabity?
From: Marko Hotti <mhotti@lists.oulu.fi>

Indexed By Date	Previous:	Re: multiple lists commands attack --> majordomo vulnerabity? From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Date	Next:	Re: multiple lists commands attack --> majordomo vulnerabity? From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Previous:	Re: multiple lists commands attack --> majordomo vulnerabity? From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Next:	Re: multiple lists commands attack --> majordomo vulnerabity? From: Jason L Tibbitts III <tibbs@hpc.uh.edu>