Bugtraq mailing list archives
Majordomo and EXPN
From: james () OAKTREE CO UK (James Ponder)
Date: Wed, 22 Oct 1997 13:27:04 +0100
I've done the usual and checked the archives for previous mentions of this problem, but there doesn't seem to have been any. The majordomo sites that I've looked at all have this problem, including the majordomo lists themselves, even though this issue is talked about in the majordomo FAQ. When someone sends a message to a majordomo list, the mail goes through an alias that pipes the mail through the wrapper program with a series of arguments. One argument is the name of another alias which has the list of email addresses in it (via a sendmail :include: directive). The problem with this setup is that anyone can use EXPN on the address that mail goes to in order to reveal the alias that contains all the email addresses, then it's just a question of using EXPN on that alias and sendmail will output all the subscriber's email addresses. e.g.: telnet somewhere.com 25 220 somewhere.com ESMTP Sendmail 8.8.5/Somewhere-971021-1 ready at ... EXPN somewhere-announce 250 <"|/usr/local/mail/majordomo/wrapper resend -l somewhere-announce -h somewhere.com somewhere-announce-list"@somewhere.com> EXPN somewhere-announce-list ... Several documents on the subject (including the FAQ) do indicate that people should choose a non-guessable alias and also disable EXPN. It would seem however that people do not do this - it is no good just choosing something that isn't myannounce-outgoing, if you don't disable EXPN, you are still vulnerable to people posting to your announcement list and downloading all your subscribers (who could be confidential customers). I'm not really asking for comments, just making sure everyone is aware of this, as people don't seem to be - if you have chosen announce-list, announce-outgoing or announce-real, you really should change it. Best wishes, James -=- James Ponder -=- james () oaktree co uk -=- http://www.oaktree.co.uk/ -=-
Current thread:
- Re: WinNT syscalls insecurity Bst Perez Companc (Oct 19)
- <Possible follow-ups>
- Re: WinNT syscalls insecurity David LeBlanc (Oct 19)
- SNI-19: BSD lpd vulnerabilities (UPDATE) Secure Networks Inc. (Oct 21)
- Re: WinNT syscalls insecurity Solar Designer (Oct 21)
- SNI-20: Telnetd tgetent vulnerability Secure Networks Inc. (Oct 21)
- Re: SNI-20: Telnetd tgetent vulnerability Theo de Raadt (Oct 21)
- Majordomo and EXPN James Ponder (Oct 22)
- Re: remotely kill solaris syslogd Jason R Mastaler (Oct 21)