Bugtraq mailing list archives
Re: Vulnerability in Majordomo
From: steve_hill () VNET IBM COM (Steve Hill)
Date: Tue, 26 Aug 1997 18:05:54 +0100
Folks,
I have discovered a vulnerablility in "majordomo" that allows local and remote users to execute commands with the rights of the user running the server.
-- majordomo -- foreach $i (@array) { $command = "(q~$reply_addr~ =~ $i)"; $result = 1, last if (eval $command); } -- end majordomo -- $reply_addr is the result of some paranoid validation. It cannot contain <,>,[,],-,+,(,),; etc..
I am too tired to find a fix for this right now. Some more validation might help.
Although I know little of the internals of majordomo, this is a standard validation problem just like the slew of CGI vulnerabilities that recirculated about 6 months ago. This has probably been said a million times before, but as these vulnerabilities seem to keep re-appearing maybe its worth saying again. By far the safest way of doing any sort of validation is to provide a list of the safe characters, and not permit anything else. The perl to implement such a scheme is remarkably simple: $reply_addr =~ s/[^\w\.@-]//g; This will remove all characters which are not alphanumeric, a period, an at symbol or a hyphen. Of course, you may like to include a small piece of code which saves insecure strings in a file somewhere, along with the sender. Steve
Current thread:
- Vulnerability in Majordomo Razvan Dragomirescu (Aug 24)
- Re: Vulnerability in Majordomo Steve Hill (Aug 26)
- CERT Summary CS-97.05 Aleph One (Aug 26)
- FreeBSD Security Advisory: FreeBSD-SA-97:04.procfs Aleph One (Aug 26)
- Re: Vulnerability in Majordomo Oliver Xymoron (Aug 26)
- Re: Vulnerability in Majordomo Michael Warfield (Aug 26)
- <Possible follow-ups>
- Re: Vulnerability in Majordomo Randal Schwartz (Aug 26)