From owner-freebsd-chat Mon Oct 7 5:50:37 2002 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D7FE37B401 for ; Mon, 7 Oct 2002 05:50:36 -0700 (PDT) Received: from host-123.syseng.cableinet.net (host-123.syseng.cableinet.net [194.117.135.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id B60C243E42 for ; Mon, 7 Oct 2002 05:50:35 -0700 (PDT) (envelope-from bnazir@host-123.syseng.cableinet.net) Received: by host-123.syseng.cableinet.net (Postfix, from userid 1001) id 9C6F028E; Mon, 7 Oct 2002 13:50:25 +0100 (BST) Date: Mon, 7 Oct 2002 13:50:25 +0100 From: Burhan Nazir To: chat@freebsd.org Subject: which - SECURITY BREACH? Message-ID: <20021007125025.GG7713@host-123.syseng.cableinet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Approved: dell User-Agent: Mutt/1.5.1i Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, It seems that by sending the "which" command to majordomo, it can return a list of email addresses subscribed to all lists matching any domain name that you specify. This has huge spamming implications For example by doing: which freebsd.org to majordomo@freebsd.org, will return a list of ALL subscribers with domain freebsd.org. Is this a security flaw with majordomo? By disabling the "which" customers loose the ability to query which lists they are subscribe to. This seems weird? -Burhan -- FreeBSD 4.6.2-RELEASE * http://www.freebsd.org 1:35PM up 45 days, 23:12, 11 users, load averages: 0.00, 0.00, 0.00 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message