At 5:16 PM -0500 3/9/05, John R Levine wrote:
> > Someone has contacted me about a security issue with Majordomo 1.94.5
>> (the current release). Essentially, the algorithm used to generate
>> cookies for use in "auth" commands is weak and easily reversible.
>
>They're right, but the main problem is that people often forget to change
>the default nonce used to generate them.
>
>Given the level of the threat, if you simply advise people to change the
>nonce, and to use different ones if they have multiple mj1 setups for
>different virtual domains, that should be fine.
That doesn't appear to be sufficient. The person who contacted me
included code which figures out what the nonce (the "cookie_seed" in
the Majordomo.cf file) is; the code is only about 40 lines of Perl.
>I'd rather put effort into sticking a stake in the ground to ship mj 2.0
>so people will believe that it's a released product.
So would I, but I've about given up hope for it ever being released.
I'd love to be proven wrong.
-Brent
--
Brent Chapman <Brent@GreatCircle.COM>
Great Circle Associates, Inc.
http://www.greatcircle.com/
+1 650 962 0841
References:
|
|
