Bugtraq mailing list archives
Majordomo filenames used as passwords
From: marvin () NSS NU
Date: Fri, 1 Dec 2000 14:48:23 +0100
Though this is an old problem, it seems that it's not widely known. When majordomo looks for the admin_passwd it checks the line in the lists config file and compares it against the password supplied by the user. If they match, the password is valid. If it doesn't match, majordomo opens the saved password as a file and reads a line from the file. If that line matches the user-supplied password, the password is also valid. In other words, if you have the password in a separate file, you have two valid passwords. Many tutorials for setting up majordomo say you should put the password in a separate file named <listname>.passwd. That makes it very trivial to guess the password. This was reported TWICE, by two different people, in 1995. None of the posts even got a reply. The bug has been confirmed on a live majordomo 1.94.3 and the code looks the same for 1.94.5 (the latest). Code is in majordomo.pl, in main'valid_passwd. Workaround: Move passwords from separate files into configfiles. Fix Change main'valid_passwd to not compare what's in the .config file if a file by that name exists.
Current thread:
- Majordomo filenames used as passwords marvin (Dec 02)
- R: Majordomo filenames used as passwords Raistlin (Dec 05)
- Re: R: Majordomo filenames used as passwords John Ritchie (Dec 06)
- Re: R: Majordomo filenames used as passwords Michael Lyngbøl (Dec 06)
- R: Majordomo filenames used as passwords Raistlin (Dec 05)