Bugtraq mailing list archives
Re: Bug in majordomo
From: pashdown () XMISSION COM (Pete Ashdown)
Date: Tue, 24 Jun 1997 11:50:47 -0600
Dustin Marquess said once upon a time:
On Mon, 23 Jun 1997, The Spectre wrote:majordomo 1.94.1 has a bug in that if you disable the "lists" command, you can still get a list of all the mailing lists on the server by sending "unsubscribe * <email address>" and it will just give you a bunch of "failed to unsubscribe from ..." once for each list on the server.Oxymoron has a patch to fix this at http://www.waste.org/~oxymoron/majordomo/
A better strategy is not to disable the "lists" command (its been tried here, and its a pain in the arse to answer all the people who legitimately use it), but to disable more than two subscribes in one message. Without fail, this is the indicator of some bozo subscribe-bombing a victim. Here's the patch for 1.94.3. I'm sorry I've lost the attribution: *** majordomo.unpatched Mon Jun 23 14:22:56 1997 --- majordomo Mon Jun 23 14:23:31 1997 *************** *** 234,239 **** --- 234,245 ---- # Everything from here on down is subroutine definitions sub do_subscribe { + + if (! $approved && $count > 2 ) { + &squawk("$sm: not approved"); + return 0; + } + # figure out what list we are trying to subscribe to # and check to see if the list is valid local($sm) = "subscribe";
Current thread:
- Bug in majordomo The Spectre (Jun 23)
- SECURITY: Security problem in svgalib (fwd) Simon Karpen (Jun 23)
- Re: Bug in majordomo Dustin Marquess (Jun 23)
- Re: Bug in majordomo Pete Ashdown (Jun 24)
- Re: Bug in majordomo Oliver Xymoron (Jun 23)