Majordomo-Workers: Re: 1.94.4 security hole with :include:syslog

Majordomo-Workers
(December 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: 1.94.4 security hole with :include:syslog
From:	mhpower @ MIT . EDU
Date:	Mon, 15 Dec 1997 00:27:42 EST
To:	majordomo-workers @ greatcircle . com, tibbs @ hpc . uh . edu
In-reply-to:	<ufan2i7c9xq.fsf@sina.hpc.uh.edu>

>Trying :include: will fail in more than one way, but I put a hostile
>address check in just in case.  Pick whatever hunks please you.

I checked each part of the patch, and the subscribe attempt failed
with each of the three possible error messages (unquoted components,
not complete address, hostile address), depending on which part of
the patch was applied. The checks that produce the "unquoted" and
"hostile" errors look to me like they should be reasonable additions
to the standard majordomo.pl. I think that the "Addresses must have
both an @ and a ." change may present problems for sites with some
sendmail versions/configurations (possibly only ones based on sendmail
version 5). On these sites, mail from local users doesn't have an '@'
and a domain name in the "From:" line, and even if a user creates such
a "From:" line, the '@' and domain name will be stripped out. Thus,
there'd be no simple way for a local user to subscribe to a list.

>Hmmm, that seems like a combination of several factors, some of which seem
>to be of questionable security in their own right and having nothing to do
>with Majordomo.

I think that if installing Majordomo adds a new external file-exposure
vulnerability to any reasonably standard system configuration, then
these factors are relevant to Majordomo's design and should at least
be documented, if not worked around by the Majordomo code.

>             ... Does sendmail really recursively expand include lists?
>That seems like a bad thing.

It does. It's also possibly useful, for example if an enterprise-wide
mailing list is arranged using an :include: of a file that itself has
:include:'s of department mailing-list files, which in turn have
:include:'s of individual office mailing-list files.

>                          ... And putting the syslog data in the middle of
>the mail queue seems quite questionable to me; I wouldn't put anything
>there with a name that can be guessed at.

Even if there's no real justification for putting a log file there,
many operating systems have shipped with this as the original syslog
configuration, including 4.3 BSD and some or all versions of HP-UX,
AIX, Digital Unix, Ultrix, NEXTSTEP, A/UX, and NEWS-OS. Often people
don't change the filenames used by their vendor's syslog.conf.

Matt Power
mhpower@mit.edu

References:

Re: 1.94.4 security hole with :include:syslog
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>

Indexed By Date	Previous:	restrict_post and Reply-To addresses From: Nick Perry <nick.perry@amulation.co.uk>
Indexed By Date	Next:	Re: 1.94.4 security hole with :include:syslog From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Indexed By Thread	Previous:	Re: 1.94.4 security hole with :include:syslog From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread	Next:	Re: "spamgard". sheesh. From: Dave Voorhis <dave@armchair.mb.ca>