Re: Majordomo SECURITY problem and fix

[dans () ans net (Dan Simoes)]

> Knowing that the bugtraq list used Majordomo, I asked about the
> security problem on the majordomo-users mailing list.  I was forwarded
> a copy of an announcement that was sent to the majordomo-workers list.
>
> I'm not real pleased that I had to actively search for this...

I think the reasoning was that people on the -users list might
try to exploit it, whereas people on the -workers list are
trying to plug it; just a guess though.

For folks running 1.62 out of the box, here's what I think is the
quickest fix (as yet unverified but implemented):

cd ~majordom
chmod 000 wrapper 

edit the following files and change occurance of "$to" or "$reply_to"
to -t as stated in the note sent by John R:

majordomo.cf line 21
majordomo.pl line 225
resend line 326,328
new-list 40
request-answer 40

when done,

chmod 6775 wrapper

Please let me know if this is insufficient.

| Dan |
-- 
Dan Simoes                                dans () ans net
Associate Programmer                     (914) 789-5378
Advanced Network & Services               Elmsford, NY