Re: Vulnerability in Majordomo

[steve_hill () VNET IBM COM (Steve Hill)]

Folks,

> I have discovered a vulnerablility in "majordomo" that allows local and
> remote users to execute commands with the rights of the user running the
> server.

> -- majordomo --
> foreach $i (@array) {
>                       $command = "(q~$reply_addr~ =~ $i)";
>                       $result = 1, last if (eval $command);
>                    }
>
> -- end majordomo --
> $reply_addr is the result of some paranoid validation. It cannot contain
> <,>,[,],-,+,(,),; etc..

> I am too tired to find a fix for this right now. Some more validation
> might help.

Although I know little of the internals of majordomo, this is a standard
validation problem just like the slew of CGI vulnerabilities that
recirculated about 6 months ago. This has probably been said a million times
before, but as these vulnerabilities seem to keep re-appearing maybe its
worth saying again.

By far the safest way of doing any sort of validation is to provide a list
of the safe characters, and not permit anything else. The perl to implement
such a scheme is remarkably simple:

  $reply_addr =~ s/[^\w\.@-]//g;

This will remove all characters which are not alphanumeric, a period, an at
symbol or a hyphen. Of course, you may like to include a small piece of code
which saves insecure strings in a file somewhere, along with the sender.

Steve