5th Feb 2003 [SBWID-5971]
COMMAND
Majordomo info leakage (mailing list exposure), all versions
SYSTEMS AFFECTED
ALL Majordomo versions including the latest Majordomo 2 (alpha)
PROBLEM
Thanks to Marco van Berkum [http://ws.obit.nl] [[email protected]] and
Jakub Klausa [[email protected]] advisory :
Some while ago Jakub Klausa mailed me about a problem regarding the
Majordomo mailinglist program. At first we were not sure if it was a
one time problem or a common issue, so we checked several other servers
and installed Majordomo ourselves and found ALL Majordomo versions to
be vulnerable, also the latest Majordomo 2 (alpha).
The problem:
---------------
All email addresses can be extracted from mailinglists for which
'which_access' is set to "open" in the configuration file, which_access
is set to "open" by default !!
Majordomo 1.94.5 documentation quote:
"8. By default, anyone (even non-subscribers) can use the commands
"who", "which", "index", and "get" on a list. If you create an
empty file named "listname.private" in the $listdir directory, only
members of the list can use those commands."
Typical case of RTFDOC of course, but still, why isn't the private
configuration file the default one (?!), now people actually have to
read the documentation to protect their lists against evil spammers. We
all know that admins do not always read the docs (uhuh).
So this bug can be exploited without being subscribed to any
mailinglist on that server when "which_access" is set to open. This bug
can be exploited by sending:
which @
or
which .
To the Majordomo daemon. Majordomo will then match "@" (or ".") on all
the mailinglists that have 'which_access' set to "open". This then
matches all email addresses that are subscribed to that list.
There is a slight difference between the new Majordomo 2 (alpha) and
the current Majordomo 1.94.x branch.
Majordomo 1.94.x gives output such as this:
>>>> which @
The string '@' appears in the following entries in lists served by
[email protected]:
List Address
==== =======
test-list [email protected]
test-list [email protected]
another-list [email protected]
another-list [email protected]
etc...
Majordomo 2 also has the bug, not as much as the 1.94.x though:
>>>> which @
The pattern "/\@/i" matched the following subscriptions.
Matches for the devils mailing list:
[email protected]
-- Match limit of 1 for devils exceeded.
Matches for the britney mailing list:
[email protected]
-- Match limit of 1 for britney exceeded.
SOLUTION
Read the documentation regarding $listname.private and set all
which_access to "closed", or update to Majordomo 2 alpha, which still
requires the same attention.
Majordomo 1.94.5 and earlier:
=============================
As mentioned by the documentation that comes with Majordomo 1.94.5,
create an empty file named "$listname.private" in the $listdir. It will
only reduce the group of people being able to pick up all the addresses
to the ones subscribed to the list. Check your current configurations
for open which_access, close them.
Majordomo 2:
============
The authors responded quickly and changed default configuration
settings to be "closed". Get the latest CVS version, and check your
current configurations for open which_access, which_access should be
closed at any time.
Jakub made a patch for Majordomo 1.94.5.
[Patch]
=======
This is a patch for Majordomo 1.94.5, which makes the Majordomo ignore
the 'which' request if they don't contain e-mail address-like string as
a parameter (roughly).
--- majordomo.orig Mon Feb 3 13:23:45 2003
+++ majordomo Mon Feb 3 13:23:23 2003
@@ -624,6 +624,11 @@
sub do_which {
local($subscriber) = join(" ", @_) || &valid_addr($reply_to);
+ if ($subscriber !~ /^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+\.[a-zA-Z]{2,3}$/) {
+
+ &log("which abuse -> $subscriber passed as an argument.");
+ exit(0);
+ };
local($count, $per_list_hits) = 0;
# Tell the requestor which lists they are on by reading through all
# the lists, comparing their address to each address from each list