Great Circle Associates Majordomo-Workers
(June 2000) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: U-ZO: Re: Security hole?
From: Jason L Tibbitts III <tibbs @ math . uh . edu>
Date: 15 Jun 2000 19:54:27 -0500
To: Marilyn Davis <marilyn @ deliberate . com>
Cc: under-zo @ deliberate . com, majordomo-workers @ GreatCircle . COM
In-reply-to: Marilyn Davis's message of "Thu, 15 Jun 2000 16:02:39 -0700 (PDT)"
References: <Pine.LNX.4.10.10006151600590.969-100000@deliberate.com>
User-agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.5 
>>>>> "MD" == Marilyn Davis <marilyn@deliberate.com> writes:

MD> The exim people have the solution, a configuration parameter, that's
MD> all.  I tell you, exim is dynomite!

Yes, I use it myself.

MD> Do you know what he's saying about the "auth hash seed"?

Yes.  The confirmation method Mj1 uses is stateless; it generates a token
based entirely on some data in your majordomo.cf and the address.  When it
gets the auth command back, it makes sure the token matches the address
it's working with.  Unfortunately the algorithm is dumb and it's easy to
extract the seed and thus generate tokens for your site at will.

How to fix this:

1) Use Mj2; we use a stateful method and our tokens are random numbers.

2) Use something like SHA1 or MD5 to generate the token.  Easy and much
   more secure.  (This would take someone who knows what they're doing
   something like ten minutes to do.)

 - J<
References:
Indexed By Date Previous: Re: U-ZO: Re: Security hole?
From: Marilyn Davis <marilyn@deliberate.com>
Next: Re: [Exim] Malformed address on a list
From: Peter Radcliffe <pir@pir.net>
Indexed By Thread Previous: Re: U-ZO: Re: Security hole?
From: Marilyn Davis <marilyn@deliberate.com>
Next: Re: U-ZO: Re: Security hole?
From: Marilyn Davis <marilyn@deliberate.com>
Google
 
Search Internet Search www.greatcircle.com