Great Circle Associates Majordomo-Workers
(October 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: multiple lists commands attack --> majordomo vulnerabity?
From: relph @ mando . engr . sgi . com (John Relph)
Date: Fri, 31 Oct 1997 10:59:58 -0800 (PST)
To: majordomo-workers @ GreatCircle . COM
In-reply-to: Jason L Tibbitts III <tibbs@hpc.uh.edu> "Re: multiple lists commands attack --> majordomo vulnerabity?" (Oct 31, 12:42)
References: <Pine.LNX.3.96.971031074404.7285N-100000@lists.oulu.fi> <ufara91g4eq.fsf@sina.hpc.uh.edu>
Reply-to: relph @ sgi . com 
On Oct 31, 12:42, Jason L Tibbitts III wrote:
>>>>>> "MH" == Marko Hotti <mhotti@lists.oulu.fi> writes:
>
>MH> The other mailing list server I'm running and administering at the
>MH> moment was attacked by some idiot who had sent about 50 subsequent
>MH> messages to the majordomo address - each message containing +100 lines
>MH> of the majordomo command 'lists'.
>
>For some reason I neglected to notice that there were multiple commands in
>a single message.  John L. already posted a solution that works for 1.9x; I
>can't do something quite that naive for 2.0 because doing a full list
>reconfiguration might take a huge number of commands.
>
>I suppose a per-transaction limit should be imposed by the core and should
>limit unapproved commands.  I'll have to think about it some more.

Is there any reason why duplicate commands could not be ignored?

For example:

	lists
	lists
	newconfig
	info
	intro
	intro
	lists

The second lists command could be ignored and the second intro command
could be ignored.

	-- John
References:
Indexed By Date Previous: Re: multiple lists commands attack --> majordomo vulnerabity?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Next:
From: (nil)
Indexed By Thread Previous: Re: multiple lists commands attack --> majordomo vulnerabity?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Next:
From: (nil)
Google
 
Search Internet Search www.greatcircle.com