Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Feb 2003 21:09:26 -0300
From:      Kerozene 1999-2002 c0oL! <kerozene@hackemate.com.ar>
To:        freebsd-questions@FreeBSD.ORG
Cc:        security@FreeBSD.ORG
Subject:   security bug!
Message-ID:  <415580013.20030212210926@hackemate.com.ar>
next in thread | raw e-mail | index | archive | help 
I put in contact with you to inform that the majordomo software you
are using now has a big vulnerability hole, wich let me get your hole
list of members: for example:

aic7xxx                 canningj@fac.fadmin.unb.ca
aic7xxx                 coyote@step.polymtl.ca
aic7xxx                 thornto@heartlab.rri.uwo.ca
aic7xxx                 krockel@bnr.ca
aic7xxx                 ry40@rz.uni-karlsruhe.de
aic7xxx                 st2j207@staix5.hs.uni-hamburg.de
aic7xxx                 thomas@dagobert.uni-duisburg.de
aic7xxx                 u1154@bwl.uni-kiel.de
aic7xxx                 cad@sparc62.m30x.nbg.scn.de

... and the list goes on. You should patch it or upgrade to next
version as soon as possible!

You should check teh configuration of all your lists and in those
where is habilitated the order WHICH, should be deshabilitated.
A patch has been publicated for teh source of Majordomo 1.9.5:

- --- majordomo.orig Mon Feb 3 13:23:45 2003
+++ majordomo Mon Feb 3 13:23:23 2003
@@ -624,6 +624,11 @@

sub do_which {
local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
+ if ($subscriber !~
/^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
+
+ &log("which abuse -> $subscriber passed as an argument.");
+ exit(0);
+ };
local($count, $per_list_hits) = 0;
# Tell the requestor which lists they are on by reading through all
# the lists, comparing their address to each address from each list

If you are user of Majordomo 2 you should get the las version from CVS.

you can get more info at the following:

Majordomo http://www.greatcircle.com/majordomo

Majordomo info leakage (mailing list exposute), all versions
http://www.securitybugware.org/mUNIXes/5971.html

Majordomo Mailing List Default Configuration Discloses List E-mail 
Addresses to Remote Users
http://www.securitytracker.com/alerts/2003/Feb/1006040.html

Majordomo Disclosure of Subscribed Email Addresses
http://www.secunia.com/advisories/8010/

Greets to all of you, Pablo G. Sabbatella

|- kerozene@hackemate.com.ar - http://www.hackemate.com.ar/
|PGP Key: http://www.hackemate.com.ar/pgp-keys/ | 0xFB655656
|Key Fingerprint =  2C16 5977 58DD 5368 33AB 7EDB 93E8 E879 FB65 5656 
| hackemate-alta@elistas.net &  uhc-alta@elistas.net ADMIN
|Que tu sabiduría no sea humillación para tu prójimo - Khayyam


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?415580013.20030212210926>