security bug!

Wed, 12 Feb 2003 16:23:43 -0800 

I put in contact with you to inform that the majordomo software you
are using now has a big vulnerability hole, wich let me get your hole
list of members: for example:

aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]
aic7xxx                 [EMAIL PROTECTED]

... and the list goes on. You should patch it or upgrade to next
version as soon as possible!

You should check teh configuration of all your lists and in those
where is habilitated the order WHICH, should be deshabilitated.
A patch has been publicated for teh source of Majordomo 1.9.5:

- --- majordomo.orig Mon Feb 3 13:23:45 2003
+++ majordomo Mon Feb 3 13:23:23 2003
@@ -624,6 +624,11 @@

sub do_which {
local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
+ if ($subscriber !~
/^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
+
+ &log("which abuse -> $subscriber passed as an argument.");
+ exit(0);
+ };
local($count, $per_list_hits) = 0;
# Tell the requestor which lists they are on by reading through all
# the lists, comparing their address to each address from each list

If you are user of Majordomo 2 you should get the las version from CVS.

you can get more info at the following:

Majordomo http://www.greatcircle.com/majordomo

Majordomo info leakage (mailing list exposute), all versions
http://www.securitybugware.org/mUNIXes/5971.html

Majordomo Mailing List Default Configuration Discloses List E-mail 
Addresses to Remote Users
http://www.securitytracker.com/alerts/2003/Feb/1006040.html

Majordomo Disclosure of Subscribed Email Addresses
http://www.secunia.com/advisories/8010/

Greets to all of you, Pablo G. Sabbatella

|- [EMAIL PROTECTED] - http://www.hackemate.com.ar/
|PGP Key: http://www.hackemate.com.ar/pgp-keys/ | 0xFB655656
|Key Fingerprint =  2C16 5977 58DD 5368 33AB 7EDB 93E8 E879 FB65 5656 
| [EMAIL PROTECTED] &  [EMAIL PROTECTED] ADMIN
|Que tu sabiduría no sea humillación para tu prójimo - Khayyam


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to